Send NAS-IP-Address as well as NAS-Identifier

Add ``disable NAS-IP-Address'' and ``disable NAS-Identifier'' options to
support pre-rfc2865 RADIUS servers.
This pushes our enable/disable items over the 32 bit limit, so reoganise
things to allow a bunch more options.
Go to version 3.4.1 so that any compatability problems can be identified.

6 files changed, 120 insertions, 57 deletions

diff --git a/usr.sbin/ppp/bundle.c b/usr.sbin/ppp/bundle.c
index ebf4f07..912f855 100644
--- a/usr.sbin/ppp/bundle.c
+++ b/usr.sbin/ppp/bundle.c
@@ -829,12 +829,15 @@ bundle_Create(const char *prefix, int type, int unit)
   bundle.cfg.idle.min_timeout = 0;
   *bundle.cfg.auth.name = '\0';
   *bundle.cfg.auth.key = '\0';
-  bundle.cfg.opt = OPT_IDCHECK | OPT_LOOPBACK | OPT_SROUTES | OPT_TCPMSSFIXUP |
-                   OPT_THROUGHPUT | OPT_UTMP;
+  bundle.cfg.optmask = (1ull << OPT_IDCHECK) | (1ull << OPT_LOOPBACK) |
+                       (1ull << OPT_SROUTES) | (1ull << OPT_TCPMSSFIXUP) |
+                       (1ull << OPT_THROUGHPUT) | (1ull << OPT_UTMP) |
+                       (1ull << OPT_NAS_IP_ADDRESS) |
+                       (1ull << OPT_NAS_IDENTIFIER);
 #ifndef NOINET6
-  bundle.cfg.opt |= OPT_IPCP;
+  opt_enable(&bundle, OPT_IPCP);
   if (probe.ipv6_available)
-    bundle.cfg.opt |= OPT_IPV6CP;
+    opt_enable(&bundle, OPT_IPV6CP);
 #endif
   *bundle.cfg.label = '\0';
   bundle.cfg.ifqueue = DEF_IFQUEUE;
@@ -870,7 +873,7 @@ bundle_Create(const char *prefix, int type, int unit)
   bundle.filter.alive.name = "ALIVE";
   bundle.filter.alive.logok = 1;
   {
-    int	i;
+    int i;
     for (i = 0; i < MAXFILTERS; i++) {
         bundle.filter.in.rule[i].f_action = A_NONE;
         bundle.filter.out.rule[i].f_action = A_NONE;
@@ -1050,9 +1053,9 @@ bundle_ShowLinks(struct cmdargs const *arg)
 }
 
 static const char *
-optval(struct bundle *bundle, int bit)
+optval(struct bundle *bundle, int opt)
 {
-  return (bundle->cfg.opt & bit) ? "enabled" : "disabled";
+  return Enabled(bundle, opt) ? "enabled" : "disabled";
 }
 
 int
@@ -1142,6 +1145,10 @@ bundle_ShowStatus(struct cmdargs const *arg)
                 optval(arg->bundle, OPT_THROUGHPUT));
   prompt_Printf(arg->prompt, " Utmp Logging:      %s\n",
                 optval(arg->bundle, OPT_UTMP));
+  prompt_Printf(arg->prompt, " NAS-IP-Address:    %-20.20s",
+                optval(arg->bundle, OPT_NAS_IP_ADDRESS));
+  prompt_Printf(arg->prompt, " NAS-Identifier:    %s\n",
+                optval(arg->bundle, OPT_NAS_IDENTIFIER));
 
   return 0;
 }
diff --git a/usr.sbin/ppp/bundle.h b/usr.sbin/ppp/bundle.h
index f34e9bf..e2f9e7f 100644
--- a/usr.sbin/ppp/bundle.h
+++ b/usr.sbin/ppp/bundle.h
@@ -33,27 +33,32 @@
 #define	PHASE_TERMINATE		4	/* Terminating link */
 
 /* cfg.opt bit settings */
-#define OPT_FILTERDECAP		0x0001
-#define OPT_FORCE_SCRIPTS	0x0002 /* force chat scripts */
-#define OPT_IDCHECK		0x0004
-#define OPT_IFACEALIAS		0x0008
+#define OPT_FILTERDECAP		1
+#define OPT_FORCE_SCRIPTS	2 /* force chat scripts */
+#define OPT_IDCHECK		3
+#define OPT_IFACEALIAS		4
 #ifndef NOINET6
-#define OPT_IPCP		0x0010
-#define OPT_IPV6CP		0x0020
+#define OPT_IPCP		5
+#define OPT_IPV6CP		6
 #endif
-#define OPT_KEEPSESSION		0x0040
-#define OPT_LOOPBACK		0x0080
-#define OPT_PASSWDAUTH		0x0100
-#define OPT_PROXY		0x0200
-#define OPT_PROXYALL		0x0400
-#define OPT_SROUTES		0x0800
-#define OPT_TCPMSSFIXUP		0x1000
-#define OPT_THROUGHPUT		0x2000
-#define OPT_UTMP		0x4000
+#define OPT_KEEPSESSION		7
+#define OPT_LOOPBACK		8
+#define OPT_NAS_IP_ADDRESS	9
+#define OPT_NAS_IDENTIFIER	10
+#define OPT_PASSWDAUTH		11
+#define OPT_PROXY		12
+#define OPT_PROXYALL		13
+#define OPT_SROUTES		14
+#define OPT_TCPMSSFIXUP		15
+#define OPT_THROUGHPUT		16
+#define OPT_UTMP		17
+#define OPT_MAX			17
 
 #define MAX_ENDDISC_CLASS 5
 
-#define Enabled(b, o) ((b)->cfg.opt & (o))
+#define Enabled(b, o)		((b)->cfg.optmask & (1ull << (o)))
+#define opt_enable(b, o)	((b)->cfg.optmask |= (1ull << (o)))
+#define opt_disable(b, o)	((b)->cfg.optmask &= ~(1ull << (o)))
 
 /* AutoAdjust() values */
 #define AUTO_UP		1
@@ -98,19 +103,19 @@ struct bundle {
 
   struct {
     struct {
-      unsigned timeout;       /* NCP Idle timeout value */
-      unsigned min_timeout;   /* Don't idle out before this */
+      unsigned timeout;          /* NCP Idle timeout value */
+      unsigned min_timeout;      /* Don't idle out before this */
     } idle;
     struct {
-      char name[AUTHLEN];     /* PAP/CHAP system name */
-      char key[AUTHLEN];      /* PAP/CHAP key */
+      char name[AUTHLEN];        /* PAP/CHAP system name */
+      char key[AUTHLEN];         /* PAP/CHAP key */
     } auth;
-    unsigned opt;             /* Uses OPT_ bits from above */
-    char label[50];           /* last thing `load'ed */
-    u_short ifqueue;          /* Interface queue size */
+    unsigned long long optmask;  /* Uses OPT_ bits from above */
+    char label[50];              /* last thing `load'ed */
+    u_short ifqueue;             /* Interface queue size */
 
     struct {
-      unsigned timeout;       /* How long to leave the output queue choked */
+      unsigned timeout;          /* How long to leave the output queue choked */
     } choked;
   } cfg;
 
diff --git a/usr.sbin/ppp/command.c b/usr.sbin/ppp/command.c
index 7f30097..acd1075 100644
--- a/usr.sbin/ppp/command.c
+++ b/usr.sbin/ppp/command.c
@@ -167,7 +167,7 @@
 #define NEG_MPPE	54
 #define NEG_CHAP81	55
 
-const char Version[] = "3.4";
+const char Version[] = "3.4.1";
 
 static int ShowCommand(struct cmdargs const *);
 static int TerminalCommand(struct cmdargs const *);
@@ -2612,7 +2612,7 @@ NatEnable(struct cmdargs const *arg)
       return 0;
     } else if (strcasecmp(arg->argv[arg->argn], "no") == 0) {
       arg->bundle->NatEnabled = 0;
-      arg->bundle->cfg.opt &= ~OPT_IFACEALIAS;
+      opt_disable(arg->bundle, OPT_IFACEALIAS);
       /* Don't iface_Clear() - there may be manually configured addresses */
       return 0;
     }
@@ -2757,24 +2757,32 @@ ident_cmd(const char *cmd, unsigned *keep, unsigned *add)
 static int
 OptSet(struct cmdargs const *arg)
 {
-  int bit = (int)(long)arg->cmd->args;
-  unsigned keep;			/* Keep these bits */
-  unsigned add;				/* Add these bits */
+  int opt = (int)(long)arg->cmd->args;
+  unsigned keep;			/* Keep this opt */
+  unsigned add;				/* Add this opt */
 
   if (ident_cmd(arg->argv[arg->argn - 2], &keep, &add) == NULL)
     return 1;
 
 #ifndef NOINET6
-  if (add == NEG_ENABLED && bit == OPT_IPV6CP && !probe.ipv6_available) {
+  if (add == NEG_ENABLED && opt == OPT_IPV6CP && !probe.ipv6_available) {
     log_Printf(LogWARN, "IPv6 is not available on this machine\n");
     return 1;
   }
 #endif
+  if (!add && ((opt == OPT_NAS_IP_ADDRESS &&
+                !Enabled(arg->bundle, OPT_NAS_IDENTIFIER)) ||
+               (opt == OPT_NAS_IDENTIFIER &&
+                !Enabled(arg->bundle, OPT_NAS_IP_ADDRESS)))) {
+    log_Printf(LogWARN,
+               "Cannot disable both NAS-IP-Address and NAS-Identifier\n");
+    return 1;
+  }
 
   if (add)
-    arg->bundle->cfg.opt |= bit;
+    opt_enable(arg->bundle, opt);
   else
-    arg->bundle->cfg.opt &= ~bit;
+    opt_disable(arg->bundle, opt);
 
   return 0;
 }
@@ -2782,12 +2790,12 @@ OptSet(struct cmdargs const *arg)
 static int
 IfaceAliasOptSet(struct cmdargs const *arg)
 {
-  unsigned save = arg->bundle->cfg.opt;
+  unsigned long long save = arg->bundle->cfg.optmask;
   int result = OptSet(arg);
 
   if (result == 0)
     if (Enabled(arg->bundle, OPT_IFACEALIAS) && !arg->bundle->NatEnabled) {
-      arg->bundle->cfg.opt = save;
+      arg->bundle->cfg.optmask = save;
       log_Printf(LogWARN, "Cannot enable iface-alias without NAT\n");
       result = 2;
     }
@@ -2928,6 +2936,10 @@ static struct cmdtab const NegotiateCommands[] = {
   "disable|enable", (const void *)OPT_KEEPSESSION},
   {"loopback", NULL, OptSet, LOCAL_AUTH, "Loop packets for local iface",
   "disable|enable", (const void *)OPT_LOOPBACK},
+  {"nas-ip-address", NULL, OptSet, LOCAL_AUTH, "Send NAS-IP-Address to RADIUS",
+  "disable|enable", (const void *)OPT_NAS_IP_ADDRESS},
+  {"nas-identifier", NULL, OptSet, LOCAL_AUTH, "Send NAS-Identifier to RADIUS",
+  "disable|enable", (const void *)OPT_NAS_IDENTIFIER},
   {"passwdauth", NULL, OptSet, LOCAL_AUTH, "Use passwd file",
   "disable|enable", (const void *)OPT_PASSWDAUTH},
   {"proxy", NULL, OptSet, LOCAL_AUTH, "Create a proxy ARP entry",
@@ -2944,9 +2956,9 @@ static struct cmdtab const NegotiateCommands[] = {
   "disable|enable", (const void *)OPT_UTMP},
 
 #ifndef NOINET6
-#define OPT_MAX 14	/* accept/deny allowed below and not above */
+#define NEG_OPT_MAX 16	/* accept/deny allowed below and not above */
 #else
-#define OPT_MAX 12
+#define NEG_OPT_MAX 14
 #endif
 
   {"acfcomp", NULL, NegotiateSet, LOCAL_AUTH | LOCAL_CX,
@@ -3018,7 +3030,7 @@ NegotiateCommand(struct cmdargs const *arg)
     for (n = arg->argn; n < arg->argc; n++) {
       argv[1] = arg->argv[n];
       FindExec(arg->bundle, NegotiateCommands + (keep == NEG_HISMASK ?
-               0 : OPT_MAX), 2, 1, argv, arg->prompt, arg->cx);
+               0 : NEG_OPT_MAX), 2, 1, argv, arg->prompt, arg->cx);
     }
   } else if (arg->prompt)
     prompt_Printf(arg->prompt, "Use `%s ?' to get a list.\n",
diff --git a/usr.sbin/ppp/main.c b/usr.sbin/ppp/main.c
index 6f68b7f..097de79 100644
--- a/usr.sbin/ppp/main.c
+++ b/usr.sbin/ppp/main.c
@@ -393,7 +393,7 @@ main(int argc, char **argv)
   SignalBundle = bundle;
   bundle->NatEnabled = sw.nat;
   if (sw.nat)
-    bundle->cfg.opt |= OPT_IFACEALIAS;
+    opt_enable(bundle, OPT_IFACEALIAS);
 
   if (system_Select(bundle, "default", CONFFILE, prompt, NULL) < 0)
     prompt_Printf(prompt, "Warning: No default entry found in config file.\n");
diff --git a/usr.sbin/ppp/ppp.8.m4 b/usr.sbin/ppp/ppp.8.m4
index 8100ae9..26738ce 100644
--- a/usr.sbin/ppp/ppp.8.m4
+++ b/usr.sbin/ppp/ppp.8.m4
@@ -3067,6 +3067,49 @@ the other end.
 It is convenient to have this option enabled when
 the interface is also the default route as it avoids the necessity
 of a loopback route.
+.It NAS-IP-Address
+Default: Enabled.
+This option controls whether
+.Nm
+sends the
+.Dq NAS-IP-Address
+attribute to the RADIUS server when RADIUS is in use
+.Pq see Dq set radius .
+.Pp
+Note, at least one of
+.Dq NAS-IP-Address
+and
+.Dq NAS-Identifier
+must be enabled.
+.Pp
+Versions of
+.Nm
+prior to version 3.4.1 did not send the
+.Dq NAS-IP-Address
+atribute as it was reported to break the Radiator RADIUS server.
+As the latest rfc (2865) no longer hints that only one of
+.Dq NAS-IP-Address
+and
+.Dq NAS-Identifier
+should be sent (as rfc 2138 did),
+.Nm
+now sends both and leaves it up to the administrator that chooses to use
+bad RADIUS implementations to
+.Dq disable NAS-IP-Address .
+.It NAS-Identifier
+Default: Enabled.
+This option controls whether
+.Nm
+sends the
+.Dq NAS-Identifier
+attribute to the RADIUS server when RADIUS is in use
+.Pq see Dq set radius .
+.Pp
+Note, at least one of
+.Dq NAS-IP-Address
+and
+.Dq NAS-Identifier
+must be enabled.
 .It passwdauth
 Default: Disabled.
 Enabling this option will tell the PAP authentication
diff --git a/usr.sbin/ppp/radius.c b/usr.sbin/ppp/radius.c
index 18ba57d..03d4555 100644
--- a/usr.sbin/ppp/radius.c
+++ b/usr.sbin/ppp/radius.c
@@ -856,10 +856,8 @@ radius_Authenticate(struct radius *r, struct authinfo *authp, const char *name,
   const char *what = "questionable";	/* silence warnings! */
   char *mac_addr;
   int got;
-#if 0
   struct hostent *hp;
   struct in_addr hostaddr;
-#endif
 #ifndef NODES
   struct mschap_response msresp;
   struct mschap2_response msresp2;
@@ -981,8 +979,8 @@ radius_Authenticate(struct radius *r, struct authinfo *authp, const char *name,
   if (gethostname(hostname, sizeof hostname) != 0)
     log_Printf(LogERROR, "rad_put: gethostname(): %s\n", strerror(errno));
   else {
-#if 0
-    if ((hp = gethostbyname(hostname)) != NULL) {
+    if (Enabled(authp->physical->dl->bundle, OPT_NAS_IP_ADDRESS) &&
+        (hp = gethostbyname(hostname)) != NULL) {
       hostaddr.s_addr = *(u_long *)hp->h_addr;
       if (rad_put_addr(r->cx.rad, RAD_NAS_IP_ADDRESS, hostaddr) != 0) {
         log_Printf(LogERROR, "rad_put: rad_put_string: %s\n",
@@ -991,8 +989,8 @@ radius_Authenticate(struct radius *r, struct authinfo *authp, const char *name,
         return 0;
       }
     }
-#endif
-    if (rad_put_string(r->cx.rad, RAD_NAS_IDENTIFIER, hostname) != 0) {
+    if (Enabled(authp->physical->dl->bundle, OPT_NAS_IDENTIFIER) &&
+        rad_put_string(r->cx.rad, RAD_NAS_IDENTIFIER, hostname) != 0) {
       log_Printf(LogERROR, "rad_put: rad_put_string: %s\n",
                  rad_strerror(r->cx.rad));
       rad_close(r->cx.rad);
@@ -1059,10 +1057,8 @@ radius_Account(struct radius *r, struct radacct *ac, struct datalink *dl,
   int got;
   char hostname[MAXHOSTNAMELEN];
   char *mac_addr;
-#if 0
   struct hostent *hp;
   struct in_addr hostaddr;
-#endif
 
   if (!*r->cfg.file)
     return;
@@ -1168,8 +1164,8 @@ radius_Account(struct radius *r, struct radacct *ac, struct datalink *dl,
   if (gethostname(hostname, sizeof hostname) != 0)
     log_Printf(LogERROR, "rad_put: gethostname(): %s\n", strerror(errno));
   else {
-#if 0
-    if ((hp = gethostbyname(hostname)) != NULL) {
+    if (Enabled(dl->bundle, OPT_NAS_IP_ADDRESS) &&
+        (hp = gethostbyname(hostname)) != NULL) {
       hostaddr.s_addr = *(u_long *)hp->h_addr;
       if (rad_put_addr(r->cx.rad, RAD_NAS_IP_ADDRESS, hostaddr) != 0) {
         log_Printf(LogERROR, "rad_put: rad_put_string: %s\n",
@@ -1178,8 +1174,8 @@ radius_Account(struct radius *r, struct radacct *ac, struct datalink *dl,
         return;
       }
     }
-#endif
-    if (rad_put_string(r->cx.rad, RAD_NAS_IDENTIFIER, hostname) != 0) {
+    if (Enabled(dl->bundle, OPT_NAS_IDENTIFIER) &&
+        rad_put_string(r->cx.rad, RAD_NAS_IDENTIFIER, hostname) != 0) {
       log_Printf(LogERROR, "rad_put: rad_put_string: %s\n",
                  rad_strerror(r->cx.rad));
       rad_close(r->cx.rad);