Frank Cusack [Tue, 24 Dec 2002 00:34:13 +0000 (00:34 +0000)]
Improve MPPE rejection logic.
When doing MPPE, if the peer doesn't agree to it, we need to terminate
LCP. Older win* clients request Stac/LZS along with MPPE (because
MPPE overloads MPPC ... sigh). So if sending CONFREJ, we would keep
LCP up if we saw a CI_MPPE *at all*, because the CONFREJ may may have
been due to the Stac/LZS option. Now, we only keep LCP up if the MPPE
offer is acceptable.
Thanks to James Cameron for showing this problem in action.
Paul Mackerras [Fri, 6 Dec 2002 12:06:45 +0000 (12:06 +0000)]
Make sure we don't do FD_SET(fd, set) with fd >= FD_SETSIZE since
that could corrupt memory, and maybe could form the basis of an
attack on pppd. The problem was pointed out by Jun-ichiro itojun
Hagino.
Paul Mackerras [Fri, 6 Dec 2002 12:03:44 +0000 (12:03 +0000)]
More copyright updates. The new CMU copyright notice is from CMU and
now explicitly allows modifications. I have an acknowledgement from
ANU that the work I have done on pppd belongs to me and not to ANU,
so I have changed the ANU copyright notices to reflect this.
Paul Mackerras [Fri, 6 Dec 2002 09:49:16 +0000 (09:49 +0000)]
More copyright updates. The new CMU copyright notice is from CMU and
now explicitly allows modifications. I have an acknowledgement from
ANU that the work I have done on pppd belongs to me and not to ANU,
so I have changed the ANU copyright notices to reflect this.
Paul Mackerras [Wed, 4 Dec 2002 23:03:33 +0000 (23:03 +0000)]
Update copyrights. The new CMU copyright notice is from CMU and now
explicitly allows modifications. I have an acknowledgement from ANU
that the work I have done on pppd belongs to me and not to ANU, so I
have changed the ANU copyright notices to reflect this. I have emails
from Pedro Roque Marques, Tommi Komulainen and Eric Rosenquist giving
me permission to change their copyright notices to be similar to the
CMU notice.
Frank Cusack [Wed, 13 Nov 2002 18:19:26 +0000 (18:19 +0000)]
add rc_avpair_copy() and use it when sending user-specified av's. This
fixes a bug with a dangling pointer. Thanks to Peter Kjellerstedt for
the report and suggested fix.
James Carlson [Sat, 2 Nov 2002 19:48:13 +0000 (19:48 +0000)]
Added EAP support with MD5-Challenge and SRP-SHA1 methods. Tested
on Linux (with both methods) and on Solaris (just MD5-Challenge).
Fixed several Makefiles that were missing references to required
modules such as tty.o.
Frank Cusack [Sun, 27 Oct 2002 11:46:24 +0000 (11:46 +0000)]
ccp_addci(): Restore behavior of only testing kernel support for the first
compression method being offered. That way the kernel will actually use
the method being offered ...
Frank Cusack [Sat, 12 Oct 2002 02:30:21 +0000 (02:30 +0000)]
Log calling number failed authorization at warn instead of error, to be
consistent with chap/pap failed authentication log level. (And it doesn't
merit "error".)
Frank Cusack [Sat, 12 Oct 2002 01:28:05 +0000 (01:28 +0000)]
- more authentication logging uniformity
. remove duplicate logging from auth.c, now in upap.c
. auth success logs at info, auth fail at warn, auth with_peer fail at error
- add remote number checks after authentication in case a plugin modifies
authorization info
- log remote number on successful/no auth
- streamline null termination of remote name for logging
Frank Cusack [Thu, 10 Oct 2002 05:47:34 +0000 (05:47 +0000)]
Add 'remotenumber' and 'allow-number' options, for CNID purposes.
In practice, the admin can configure allow-number settings, and getty
or other programs can call ppp with the remotenumber option. remotenumber
is also available to plugins; for example the radius plugin will pass this
on as the Calling-Station-Id attribute and the radius server can make an
authentication decision based on that.
Frank Cusack [Tue, 1 Oct 2002 09:51:01 +0000 (09:51 +0000)]
Send NAS-Identifier attribute instead of NAS-IP-Address, if configured.
Set some reasonable defaults for various options, if not supplied.
Patch from Ben McKeegan.
Frank Cusack [Tue, 24 Sep 2002 11:35:22 +0000 (11:35 +0000)]
Lose the poorly thought out OPT_A3OR option flag. Fix a CHAP negotiation bug
along the way -- if the peer nak'd with an chap digest we didn't support, we
would continue to offer our first choice digest.
Frank Cusack [Thu, 12 Sep 2002 05:41:49 +0000 (05:41 +0000)]
Add support for radius Class attribute. Possibly broken if chap is set to
re-authenticate and the radius server decides to change or add the Class
attribute on a subsequent (non-initial) authentication, but no more broken
than not handling it at all.
James Carlson [Mon, 9 Sep 2002 04:19:57 +0000 (04:19 +0000)]
484: make IPCP put all options in increasing numeric order in all cases.
Also fixed unrelated problem found during testing: the reqci handling
for the deprecated IP-Addresses option was setting go->ouraddr rather
than wo->ouraddr. This caused us to get confused about the meaning of
any subsequent Configure-{Ack,Reject} from the peer, since it made it
look as though the option was illegally modified by the peer.
James Carlson [Sat, 7 Sep 2002 05:15:25 +0000 (05:15 +0000)]
Added ability to detect and use either gcc or Sun WorkShop C compiler
on Solaris. Added support for Solaris 10. Quieted down warning in
ppp_comp.c due to bad preprocessor usage. Quieted WorkShop warnings
in options.c (casting of void * to function) and pppd.h (constant too
large). Tested in 32 and 64 bit modes with gcc and WorkShop.
make Octets-Direction flag accept value=4.
For NAS - it same as Octets-Direction = Maximum (3)
but on radius side maximum can be computed as
maximum in/out overal or per session/day/month/year...
David F. Skoll [Mon, 24 Jun 2002 12:57:15 +0000 (12:57 +0000)]
Patches from Frank Cusack:
- Avoid infinite loop (eventually running out of stack space) when doing
callback into ccp with MPPE enabled, by updating lcp_fsm state *before*
doing callbacks. Problem noted by Rustem Yumaev <rust@vostok-inc.com>.
- Add missing accounting attributes
- Update for newer automake; required to compile on RH 7.3
David F. Skoll [Mon, 10 Jun 2002 13:46:28 +0000 (13:46 +0000)]
Added "install-devel" Makefile target to install pppd headers required to
build pppd plugins. NOTE: Only works on Linux Makefiles; must be added for
other supported OS's.
David F. Skoll [Tue, 21 May 2002 17:26:49 +0000 (17:26 +0000)]
ECP patches from Frank Cusack:
- If encryption is required, don't bring up IP/IPv6/IPX until the
encryption negotiation has completed.
- Shut down LCP if the peer sends an LCP ConfRej instead of CCP ConfRej
to our MPPE offer. This fixes a bug where the server could not enforce
use of encryption in some cases.
- Don't send the M=<message> part of an MS-CHAPv2 success packet to peers
that don't know how to deal with it. This allows pre-win2k systems to
authenticate.
- Don't shut down lcp if MPPE was present in peer's CCP offer along with
other options. This allows pre-win2k systems to do MPPE (they offer
Stac LZS with MPPE).
- Add the beginnings of ecp.c.
- Other minor changes.