summaryrefslogtreecommitdiffstats
path: root/usr.sbin/ppp/chap.c
Commit message (Collapse)AuthorAgeFilesLines
* Do a case insensitive comparison when comparing the ms-chap responsebrian2002-07-301-1/+1
| | | | string.
* Compensate for dodgy Win98/WinME MSCHAPv2 responses later in the codebrian2002-06-171-15/+17
| | | | | | | | | | | | | | | | path... after we've talked to any RADIUS servers involved, so that we haven't touched the data before it gets to the server. Make it clearer in the code that this compensation is done by setting a flag to a value of zero, a flag which rfc2759 says *MUST* be zero. While we're here, don't bother passing the peer challenge into radius_Authenticate(). It's already part of the key we're passing in (this becomes obvious now that I've structured that data...). This ``fix'' doesn't help to authenticate Win98/WinME users in my test environment as ports/net/freeradius seems to ignore the flag completely anyway, but it may help with other RADIUS servers.
* Remove whitespace at the end of lines.brian2002-06-151-4/+4
|
* Don't forget to process the Ident field on the front ofbrian2002-06-121-2/+1
| | | | | | | | | | | RAD_MICROSOFT_MS_CHAP_ERROR and RAD_MICROSOFT_MS_CHAP2_SUCCESS messages, and remove the hack in chap.c to ignore that ident field on the client side. This anomoly was hacked around during development, and I forgot to go back and fix it properly. Spotted by: Sergey Korolew <ds@rt.balakovo.ru>
* Fix a mis-placed #else/#endifbrian2002-05-161-2/+1
|
* Handle MS-CHAPv2 authentication correctly via the RADIUS server (if it'sbrian2002-05-161-16/+25
| | | | | | | | | | configured). Handle internal failures in radius_Authenticate() correctly. Bump the ppp version number. This doesn't yet work with MPPE. More will follow. Sponsored by: Mozoon
* o Clean up some #includesbrian2002-05-141-1/+0
| | | | | | | | | | | | | | | | | | o Bump version number to 3.0.4 o When talking to a RADIUS server, provide a NAS-Port-Type. When the NAS-Port-Type is Ethernet, provide a NAS-Port value equal to the SESSIONID from the environment in direct mode or the NGM_PPPOE_SESSIONID message in other modes. If no SESSIONID is found, default to the interface index in client mode or zero in server mode. When the NAS-Port-Type is ISDN, set the NAS-Port to the minor number of the physical device (ie, the N in /dev/i4brbchN). This makes it easier for the RADIUS server to identify the client WRT accounting data etc. Prompted by: lsz8425 <lsz8425@mail.cd.hn.cn>
* Add support for MS-CHAP authentication via a RADIUS server.brian2002-05-101-4/+19
| | | | | | Add support for Reply-Message and MS-CHAP-Error. Sponsored by: Monzoon
* Merge the NETGRAPH branch into HEAD. tty devices now use netgraph's linebrian2002-03-301-31/+31
| | | | | | | | discipline to do the async escaping, but no other benefits are available yet. Change ``ifdef HAVE_DES'' to ``ifndef NODES'' for consistency. Make the Makefile a little more sane WRT RELEASE_CRUNCH.
* o Add ipv6 support, abstracting most NCP addresses into opaquebrian2001-08-141-0/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | structures (well, they're treated as opaque). It's now possible to manage IPv6 interface addresses and routing table entries and to filter IPV6 traffic whether encapsulated or not. IPV6CP support is crude for now, and hasn't been tested against any other implementations. RADIUS and IPv6 are independent of eachother for now. ppp.linkup/ppp.linkdown aren't currently used by IPV6CP o Understand all protocols(5) in filter rules rather than only a select few. o Allow a mask specification for the ``delete'' command. It's now possible to specifically delete one of two conflicting routes. o When creating and deleting proxy arp entries, do it for all IPv4 interface addresses rather than doing it just for the ``current'' peer address. o When iface-alias isn't in effect, don't blow away manually (via ``iface add'') added interface addresses. o When listening on a tcp server (diagnostic) socket, bind so that a tcp46 socket is created -- allowing both IPv4 and IPv6 connections. o When displaying ICMP traffic, don't display the icmp type twice. When display traffic, display at least some information about unrecognised traffic. o Bump version Inspired after filtering work by: Makoto MATSUSHITA <matusita@jp.FreeBSD.org>
* Warn when a CHAP81 SUCCESS packet is invalid due to an incorrect S= value.brian2001-08-031-2/+2
|
* The wrong-last-byte bug on win98 chap responses is also in winMEbrian2001-08-021-1/+1
|
* Don't include a NUL at the end of our CHAP SUCCESS packet.brian2001-07-311-1/+1
| | | | | | | | | | When encryption (MPPE) is enabled, WindowsME and Windows98 both fail because of the extra byte, suggesting that they autheticated successfully in their log and then dropping the connection, telling the user that the peer doesn't support compatible encryption options. MFC after: 1 week
* When we receive a CHAP81 challenge response, we always expect the lastbrian2001-07-311-0/+5
| | | | | | | | | | byte of the packet to contain '\0'. Windows 98 gets this wrong, dropping garbage into the last byte and failing authentication. Now, we notice this and whinge to our log file that we're compensating for the corrupt data.
* Convert IIJ copyrights to BSD copyrights.brian2001-06-131-18/+25
| | | | Approved by: Toshiharu OHNO <tohno@sirius.ocn.ne.jp>
* Don't assume challenges and responses don't contain embedded '\0's.brian2001-04-011-9/+5
| | | | | | | | Mschapv2 response generation may produce embedded NULs... causing us to send a bogus response to the radius server and end up failing the client's valid response. Problem pointed out by: Eugene Vigovskiy <vigov@com2com.ru>
* Introduce another global (MPPE_IsServer) so that we initiate thebrian2000-11-071-5/+8
| | | | | | | | | | | | | | | MPPE session keys correctly. I'm a bit dubious about this code. It seems that the session keys are initialised differently based on whether you're the client or the server. One side is the server if it issues the first challenge, but of course you can issue a challenge from both sides.... at the same time. Sounds like another wonderful M$ assumption... Ppp can now talk to itself correctly using encryption. Problem solved by: Ustimenko Semen <semen@iclub.nsu.ru> Hair torn out by: me
* Various whitespace changes.brian2000-10-301-8/+11
| | | | Make some functions static.
* Add MPPE and MSChap v2 support (denied and disabled by default)brian2000-10-301-13/+147
| | | | Submitted by: Ustimenko Semen <semen@iclub.nsu.ru>
* Make -DNOSUID (or -DPPP_NOSUID) possible to build ppp without SUIDbrian2000-08-181-0/+2
| | | | capabilities.
* Allow leading ``!'' characters in authkeys and chat scripts tobrian2000-08-091-3/+4
| | | | be doubled up to mean a single literaly ``!''.
* Support link identification from rfc1570brian2000-07-191-1/+1
| | | | Two new commands are available; ``ident'' and ``sendident''.
* To avoid namespace polution in NetBSD:brian2000-03-141-4/+4
| | | | ``struct descriptor'' -> ``struct fdescriptor''
* Add a few missing #includesbrian1999-12-301-0/+1
|
* Correct usages of getuid() and geteuid()brian1999-12-301-1/+1
| | | | Pointed out by: billf
* Add a bunch of `const's and fix a typo.brian1999-12-271-1/+1
| | | | Submitted by: Rich Neswold <rneswold@MCS.Net>
* Notice and warn about unterminated quoted strings in commands.brian1999-12-201-1/+9
| | | | The entire command is ignored if the syntax is invalid...
* Cosmetic: Make struct mbuf more like kernel mbufs.brian1999-12-201-11/+11
|
* o Split the two IPCP queues into three - one for FSM databrian1999-09-041-1/+1
| | | | | | | | | | | | (LCP/CCP/IPCP), one for urgent IP traffic and one for everything else. o Add the ``set urgent'' command for adjusting the list of urgent port numbers. The default urgent ports are 21, 22, 23, 513, 514, 543 and 544 (Ports 80 and 81 have been removed from the default priority list). o Increase the buffered packet threshold from 20 to 30. o Report the number of packets in the IP output queue and the list of urgent ports under ``show ipcp''.
* $Id$ -> $FreeBSD$peter1999-08-281-1/+1
|
* Set the close-on-exec flag for all unused descriptors whenbrian1999-08-171-14/+10
| | | | exec()ing other programs.
* Don't declare `end' if we aren't compiling radius support.brian1999-07-151-2/+4
|
* Use the correct pid when substituting PROCESSID.brian1999-06-091-2/+4
| | | | Problem reported by: Amedeo Beck Peccoz <gea@gressoney.it>
* o Alter the mbuf type as it's processed by different layers.brian1999-06-021-2/+3
| | | | | | | | o Show more information about missing MP fragments in ``show mp''. o Do away with mbuf_Log(). It was showing mbuf stats twice on receipt of LCP/CCP/IPCP packets.... ???!!? o Pre-allocate a bit extra when creating LQR packets to avoid having to allocate another mbuf in mbuf_Prepend().
* o Redesign the layering mechanism and make the aliasing code part ofbrian1999-05-081-22/+32
| | | | | | | | | | | | | | | | | | | | | the layering. We now ``stack'' layers as soon as we open the device (when we figure out what we're dealing with). A static set of `dispatch' routines are also declared for dealing with incoming packets after they've been `pulled' up through the stacked layers. Physical devices are now assigned handlers based on the device type when they're opened. For the moment there are three device types; ttys, execs and tcps. o Increment version number to 2.2 o Make an entry in [uw]tmp for non-tty -direct invocations (after pap/chap authentication). o Make throughput counters quad_t's o Account for the absolute number of mbuf malloc()s and free()s in ``show mem''. o ``show modem'' becomes ``show physical''.
* Split the recorded chap challenge into two - one for thebrian1999-04-211-17/+20
| | | | | | | | receiver and one for the sender. This allows two simultaneous chap conversations - something that I *thought* I was already doing on a daily basis myself until the existence of the problem was Beaten into me by: sos
* Drop PAP & CHAP packets if we're not in NETWORK or AUTHENTICATEbrian1999-04-011-1/+8
| | | | phase.
* Handle empty PAP & CHAP packets (containing only an FSM header).brian1999-02-201-3/+4
| | | | | | Some CHAP implementations send no welcome message with their SUCCESS/FAILURE packets. This was being mis-identified as a truncated packet by the new authentication code :-(
* Build correctly when -DNOCRYPT is used.brian1999-02-181-18/+78
|
* Don't expect a chap response if we haven't negotiatedbrian1999-02-181-2/+3
| | | | chap 0x80.
* Fully support both NT and LANMan CHAP type 0x80 as bothbrian1999-02-181-56/+131
| | | | authenticator and authenticatee.
* When resending chap challenges, resend the same challengebrian1999-02-111-30/+241
| | | | | | | | | | | | | | | | | | | each time rather than making up a new one. Increase the authname/authkey max sizes to 100 characters. Allow ``authkey'' specifications beginning with ``!''. When a challenge is received, the text following the ``!'' is executed as a program (expanding stuff in the same way that ``sh'' and ``!bg'' do). The program is passed the peer name, peer challenge and local ``authname'' on standard input and is expected to output the name/key combination that should be used to build the CHAP response. This provides support for Secure ID cards (guess what I was given at work recently!) using CHAP. Examples will follow.
* Correct server-side chap authentication comparisonbrian1999-02-071-2/+2
| | | | (broken with last commit).
* Remove forgotten diagnosticsbrian1999-02-071-3/+1
|
* Decouple pap & chap output routines from the correspondingbrian1999-02-061-219/+273
| | | | | | | | | | | | | | | | | | | | | | | input routines and take advantage of the new init/continue interface in libradius. This allows a timely response on other links in an MP setup while RADIUS requests are in progress as well as the ability to handle other data from the peer in parallel. It should also make the future addition of PAM support trivial. While I'm in there, validate pap & chap header IDs if ``idcheck'' is enabled (the default) for other FSM packet types. NOTE: This involved integrating the generation of chap challenges and the validation of chap responses (and commenting what's going on in those routines). I currently have no way of testing ppps ability to respond to M$Chap CHALLENGEs correctly, so if someone could do the honours, it'd be much appreciated (it *looks* ok!). Sponsored by: Internet Business Solutions Ltd., Switzerland
* o Send a CHAP challenge of 16 random digits when RADIUS isbrian1999-01-291-37/+40
| | | | | | | | | | | | | | configured. This isn't strictly necessary according to the rfc, but it's suggested there.... o Don't forget to include our authname when sending a CHAP challenge when RADIUS is configured. o Don't supply the ``16'' representing the chap answer length to radius_Authenticate() - libradius does this for us. o When we successfully authenticate via radius_Authenticate(), continue with datalink_AuthOk() as expected. Sponsored by: Internet Business Solutions Ltd., Switzerland
* Initial RADIUS support (using libradius). See the man page forbrian1999-01-281-14/+43
| | | | | | | | | | | | | | | | | | | details. Compiling with -DNORADIUS (the default for `release') removes support. TODO: The functionality in libradius::rad_send_request() needs to be supplied as a set of routines so that ppp doesn't have to wait indefinitely for the radius server(s). Instead, we need to get a descriptor back, select() on the descriptor, and ask libradius to service it when necessary. For now, ppp blocks SIGALRM while in rad_send_request(), so it misses PAP/CHAP retries & timeouts if they occur. Only PAP is functional. When CHAP is attempted, libradius complains that no User-Password has been specified... rfc2138 says that it *mustn't* be used for CHAP :-( Sponsored by: Internet Business Solutions Ltd., Switzerland
* Fix some OpenBSD/alpha warningsbrian1998-08-261-2/+2
|
* o Support callback types NONE, E.164, AUTH and CBCP.brian1998-08-071-2/+3
| | | | | | | | | | | | | | (see the new ``set callback'' and ``set cbcp'' commands) o Add a ``cbcp'' log level and mbuf type. o Don't dump core when \T is given in ``set login'' or ``set hangup''. o Allow ``*'' and blanks as placeholders in ppp.secret and allow a fifth field for specifying auth/cbcp dialback parameters. o Remove a few extraneous #includes o Define the default number of REQs (restart counter) in defs.h rather than hardcoding ``5'' all over the place. o Fix a few man page inconsistencies.
* o Tidy up PAP and CHAP diagnostics. They're now all logged as PHASEbrian1998-07-281-13/+20
| | | | | | | diagnostics (which are on by default). o Deal correctly with both sides wanting CHAP. o Output a warning if we're using an empty ``authname''. This is *not* what we want to do.
OpenPOWER on IntegriCloud