Copy stable/10@r272459 to releng/10.1 as part of
the 10.1-RELEASE process.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

Copy head (r256279) to stable/10 as part of the 10.0-RELEASE cycle.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

Make ppp WARNS=5 clean

Compensate for dodgy Win98/WinME MSCHAPv2 responses later in the code
path... after we've talked to any RADIUS servers involved, so that we
haven't touched the data before it gets to the server.

Make it clearer in the code that this compensation is done by setting
a flag to a value of zero, a flag which rfc2759 says *MUST* be zero.

While we're here, don't bother passing the peer challenge into
radius_Authenticate(). It's already part of the key we're passing in
(this becomes obvious now that I've structured that data...).

This ``fix'' doesn't help to authenticate Win98/WinME users in my test
environment as ports/net/freeradius seems to ignore the flag
completely anyway, but it may help with other RADIUS servers.

Handle MS-CHAPv2 authentication correctly via the RADIUS server (if it's
configured).
Handle internal failures in radius_Authenticate() correctly.
Bump the ppp version number.

This doesn't yet work with MPPE. More will follow.

Sponsored by: Mozoon

o Clean up some #includes
o Bump version number to 3.0.4
o When talking to a RADIUS server, provide a NAS-Port-Type.

When the NAS-Port-Type is Ethernet, provide a NAS-Port value equal
to the SESSIONID from the environment in direct mode or the
NGM_PPPOE_SESSIONID message in other modes. If no SESSIONID is found,
default to the interface index in client mode or zero in server mode.

When the NAS-Port-Type is ISDN, set the NAS-Port to the minor number
of the physical device (ie, the N in /dev/i4brbchN).

This makes it easier for the RADIUS server to identify the client
WRT accounting data etc.

Prompted by: lsz8425 <lsz8425@mail.cd.hn.cn>

Add support for MS-CHAP authentication via a RADIUS server.
Add support for Reply-Message and MS-CHAP-Error.

Sponsored by: Monzoon

o Add ipv6 support, abstracting most NCP addresses into opaque
structures (well, they're treated as opaque).

It's now possible to manage IPv6 interface addresses and routing
table entries and to filter IPV6 traffic whether encapsulated or
not.

IPV6CP support is crude for now, and hasn't been tested against
any other implementations.

RADIUS and IPv6 are independent of eachother for now.

ppp.linkup/ppp.linkdown aren't currently used by IPV6CP

o Understand all protocols(5) in filter rules rather than only a select
few.

o Allow a mask specification for the ``delete'' command. It's now
possible to specifically delete one of two conflicting routes.

o When creating and deleting proxy arp entries, do it for all IPv4
interface addresses rather than doing it just for the ``current''
peer address.

o When iface-alias isn't in effect, don't blow away manually (via ``iface
add'') added interface addresses.

o When listening on a tcp server (diagnostic) socket, bind so that a
tcp46 socket is created -- allowing both IPv4 and IPv6 connections.

o When displaying ICMP traffic, don't display the icmp type twice.
When display traffic, display at least some information about unrecognised
traffic.

o Bump version

Inspired after filtering work by: Makoto MATSUSHITA <matusita@jp.FreeBSD.org>

Convert IIJ copyrights to BSD copyrights.

Approved by: Toshiharu OHNO <tohno@sirius.ocn.ne.jp>

Don't assume challenges and responses don't contain embedded '\0's.

Mschapv2 response generation may produce embedded NULs... causing
us to send a bogus response to the radius server and end up
failing the client's valid response.

Problem pointed out by: Eugene Vigovskiy <vigov@com2com.ru>

Support link identification from rfc1570
Two new commands are available; ``ident'' and ``sendident''.

Add a bunch of `const's and fix a typo.

Submitted by: Rich Neswold <rneswold@MCS.Net>

Cosmetic: Make struct mbuf more like kernel mbufs.

Allow extended pap success messages by believing in the PAP headers
length field rather than the one byte message length field embedded
in the packet. This steps slightly outside of the protocol boundaries,
but should not cause any problems.

Limitation noted by: Simon Winwood <simon@winwood.org>

o Split the two IPCP queues into three - one for FSM data
(LCP/CCP/IPCP), one for urgent IP traffic and one for
everything else.
o Add the ``set urgent'' command for adjusting the list of
urgent port numbers. The default urgent ports are 21, 22,
23, 513, 514, 543 and 544 (Ports 80 and 81 have been
removed from the default priority list).
o Increase the buffered packet threshold from 20 to 30.
o Report the number of packets in the IP output queue and the
list of urgent ports under ``show ipcp''.

$Id$ -> $FreeBSD$

Add ISDN support via isdnd & i4b. This requires version
0.81.1 of the i4b code - namely support of the I4B_VR_REQ
ioctl via the i4brbchX device.

Ppp controls the phone number, but idle timers and
SYNC/RAW decisions are still made by isdnd (in isdnd.rc).

This involves a new datalink state machine phase. The
``wait for carrier'' phase happens after dialing but
before logging in. The whole dial state should really
be abstracted so that each device type can deal with it
in its own way (thinking about PPPoE) - but that'll have
to wait.

The ``set cd'' symantics remain the same for tty devices,
but we now delay until we either get CD or timeout waiting
(at which time we drop the link if we require CD).

For i4b devices we always insist on carrier.

Thanks to hm@ for his help, and especially for pointing out
that I *don't* need to re-implement isdnd (that was a huge
waste of time !) :-]

o Alter the mbuf type as it's processed by different layers.
o Show more information about missing MP fragments in ``show mp''.
o Do away with mbuf_Log(). It was showing mbuf stats twice on
receipt of LCP/CCP/IPCP packets.... ???!!?
o Pre-allocate a bit extra when creating LQR packets to avoid having
to allocate another mbuf in mbuf_Prepend().

o Redesign the layering mechanism and make the aliasing code part of
the layering.

We now ``stack'' layers as soon as we open the device (when we figure
out what we're dealing with). A static set of `dispatch' routines are
also declared for dealing with incoming packets after they've been
`pulled' up through the stacked layers.

Physical devices are now assigned handlers based on the device type
when they're opened. For the moment there are three device types;
ttys, execs and tcps.

o Increment version number to 2.2
o Make an entry in [uw]tmp for non-tty -direct invocations (after
pap/chap authentication).
o Make throughput counters quad_t's
o Account for the absolute number of mbuf malloc()s and free()s in
``show mem''.
o ``show modem'' becomes ``show physical''.

Drop PAP & CHAP packets if we're not in NETWORK or AUTHENTICATE
phase.

Avoid a few warnings on the alpha

Handle empty PAP & CHAP packets (containing only an FSM header).
Some CHAP implementations send no welcome message with their
SUCCESS/FAILURE packets. This was being mis-identified as
a truncated packet by the new authentication code :-(

Decouple pap & chap output routines from the corresponding
input routines and take advantage of the new init/continue
interface in libradius. This allows a timely response on
other links in an MP setup while RADIUS requests are in
progress as well as the ability to handle other data from
the peer in parallel. It should also make the future addition
of PAM support trivial.

While I'm in there, validate pap & chap header IDs if
``idcheck'' is enabled (the default) for other FSM packet
types.

NOTE: This involved integrating the generation of chap
challenges and the validation of chap responses
(and commenting what's going on in those routines).
I currently have no way of testing ppps ability
to respond to M$Chap CHALLENGEs correctly, so if
someone could do the honours, it'd be much
appreciated (it *looks* ok!).

Sponsored by: Internet Business Solutions Ltd., Switzerland

Reimplement the previous fix (no response to PAP requests)
at the authentication layer rather than at the PAP layer
so that it also applies to CHAP (no response to CHAP
challenges).

If we receive no answer from the server when sending PAP
requests, give up (don't sit there indefinitely).

Initial RADIUS support (using libradius). See the man page for
details. Compiling with -DNORADIUS (the default for `release')
removes support.

TODO: The functionality in libradius::rad_send_request() needs
to be supplied as a set of routines so that ppp doesn't
have to wait indefinitely for the radius server(s). Instead,
we need to get a descriptor back, select() on the descriptor,
and ask libradius to service it when necessary.
For now, ppp blocks SIGALRM while in rad_send_request(), so
it misses PAP/CHAP retries & timeouts if they occur.

Only PAP is functional. When CHAP is attempted, libradius
complains that no User-Password has been specified... rfc2138
says that it *mustn't* be used for CHAP :-(

Sponsored by: Internet Business Solutions Ltd., Switzerland

Fix some OpenBSD/alpha warnings

o Support callback types NONE, E.164, AUTH and CBCP.
(see the new ``set callback'' and ``set cbcp'' commands)
o Add a ``cbcp'' log level and mbuf type.
o Don't dump core when \T is given in ``set login'' or
``set hangup''.
o Allow ``*'' and blanks as placeholders in ppp.secret and
allow a fifth field for specifying auth/cbcp dialback
parameters.
o Remove a few extraneous #includes
o Define the default number of REQs (restart counter) in defs.h
rather than hardcoding ``5'' all over the place.
o Fix a few man page inconsistencies.

o Tidy up PAP and CHAP diagnostics. They're now all logged as PHASE
diagnostics (which are on by default).
o Deal correctly with both sides wanting CHAP.
o Output a warning if we're using an empty ``authname''. This is
*not* what we want to do.

o Fix remaining sizeof problems for 64 bit machines.
o Allow ``set ....'' when we have multiple links but aren't in
multilink mode.
o Do a TLS when we receive a ``Open'' event in ``Closed'' state,
despite the rfc state transition table. This is clearly an
error in the RFC as TLS cannot have yet been called (without
TLF) in the ``Closed'' state.
I've posted a message to comp.protocols.ppp for confirmation.

MFMP: Make ppp multilink capable.
See the file README.changes, and re-read the man page.

Add extraneous braces to stiffle warnings from gcc-2.8

MFMP: Allow 8 character login names.
Do the login()/logwtmp()/logout() as id 0.

Cosmetic (style):
sizeof(var) -> sizeof var
sizeof type -> sizeof(type)

Suggested by: J Wunsch <j@uriah.heep.sax.de>

Fix prototypes.
Remove extraneous decls.
Add ``const'' to several places.
Allow ``make NOALIAS=1'' to remove IP aliasing.
Merge with OpenBSD - only the Makefiles vary.

We can now survive a compile with
-Wall -Wbad-function-cast -Wcast-align -Wcast-qual
-Winline -Wmissing-declarations -Wmissing-prototypes
-Wnested-externs -Wpointer-arith -Wredundant-decls
-Wshadow -Wstrict-prototypes -Wwrite-strings -Wchar-subscripts
(although the Makefile just contains -Wall).

Cosmetic (no functional changes):
o Add missing $Id$s
o Move extern decls from .c -> .h files
o Staticize
o Remove #includes from .h files
o style(9)ify includes
o bcopy -> memcpy
bzero -> memset
bcmp -> memcmp
index -> strchr
rindex -> strrchr
o Move timeout.h -> timer.h (making it consistent w/ timer.c)
o Add -Wmissing-prototypes

cosmetic:
o Log client connection commands when "set log +command"
o Don't display PAP password in the log unless we're
"set log +debug".

Don't login twice when using passwdauth
Suggested by: Peter Childs <pjchilds@imforei.apana.org.au>
Merge the whole module into a few lines in pap.c

Don't allow accept/deny when it's not appropriate.
Log PAP/CHAP users in utmp & wtmp, allowing it to
be avoided with "disable utmp"

Make the code format more in line with style(9).
Update loadalias to use the new libalias api.
Update to version 1.1.

Overhaul ppp:
o Use syslog
o Remove references to stdout/stderr (incl perror())
o Introduce VarTerm - the interactive terminal or zero
o Allow "set timeout" to affect current session
o Change "set debug" to "set log"
o Allow "set log [+|-]flag"
o Make MSEXT and PASSWDAUTH stuff the default
o Move all #ifdef DEBUG stuff into the code - this
shouldn't be too much overhead. It's now controlled
with "set log +debug"
o Add "set log command, debug, tun, warn, error, alert"
o Remove cdefs.h, and assume an ansi compiler.
o Improve all diagnostic output
o Don't trap SIGSEGV
o SIGHUP now terminates again (log files are controlled
by syslog)
o Call CloseModem() when changing devices
o Fix parsing of third arg of "delete"

I think this fixes the "magic is same" problems that some
people have been experiencing.
The man page is being rewritten. It'll follow soon.

De-couple ppp from libalias. If libalias isn't there, the
alias commands simply won't work. Only root may specify the
location of the alias lib (otherwise, it's hard-coded).

Make logprintf silently fail if LogOpen hasn't been called.

Suggested by: eivind

Fix the reconnect option, and add an explanation to vars.h

Mega update to sort out bad implementations
of reconnect & -background.

o Fix reconnect anomolies.
o Make reconnect apply to failed LQR hangups (& mention in man page).
o Make reconnect effective in -background mode.
o Listen on socket in -background mode.
o Try all phone numbers in -background mode.
o Insist on system arg in -background mode.
o Make a control-connection close command exit in -background mode.
o Output status message to stdout on exit of parent in -background mode.
o Don't notify parent of success too soon.
o Describe termination EX_* code.
o Miscelaneous diagnostic corrections.
o Remove redundant connect_time from modem.c.
o Don't repeatedly DownConnection().

Revert $FreeBSD$ to $Id$

Make the long-awaited change from $Id$ to $FreeBSD$

This will make a number of things easier in the future, as well as (finally!)
avoiding the Id-smashing problem which has plagued developers for so long.

Boy, I'm glad we're not using sup anymore. This update would have been
insane otherwise.

Properly include prototypes.
Submitted-by: "Daniel O'Callaghan" <danny@panda.hilink.com.au>

Add support for the Evil Microsoft ppp extentions. Yes, they did it
on their own without even attempting to get concensus in the IETF, but
there are also lots of Win95/NT boxes out there.

CLoses PR#1494
Submitted-By: Peter Childs <pjchilds@imforei.apana.org.au>

Here is a diff of /usr/src/usr.sbin/ppp against current. The diffs
add some logging functionality which I find very useful.
'set debug link' will record just link up/down and address assignments.
'set debug connect' will record the entire chat dialog
'set debug carrier' will record just chat lines including 'CARRIER'
(so that I can be sure I'm getting a 28.8 line).

There was a global change required to permit LogPrintf to take a bit
mask instead of a bit position value (to permit logging some events
on either of two flags, so that no change in 'set debug lcp' would
result from the code supporting 'link'. Thus the diffs are rather
long for such a small change. The man page is also touched.

Oh, and there was a slight syntax problem in route.c

Reviewed by: phk
Submitted by: Tony Kimball <alk@Think.COM>

Some patches to ppp which improve stability. I have been running a
ppp based on these patches for about 3 weeks with no downtime.

The original submitters comments:

Two features iijppp has over kernel ppp that I like are predictor1
compression and demand dialing. Here are a few bug fixes.

I expanded the priority queueing scheme and discovered it was broken
due to the assignment at ip.c line 300. All packets were being
queued at the same priority.

Fixing priority queueing broke predictor1 compression. Packets
were compressed before being queued and predictor1 worked as long
as the packets were popped off the queue in the same order they
were pushed onto the queue.

There were a few byte order problems in IP header tests also.

There is a recursion problem in SendLqrReport(). LcpClose() is
called when "Too many echo packets are lost" which winds up in
SendLqrReport() again. I believe the original intention was to
just stop the LQR timer with the call to StopLqr() but the side
effects hurt.

Submitted by: John Capo <jc@irbs.com>

Remove trailing whitespace.

New user Process PPP based on iij-ppp0.94beta2.

o Supporting SYNC SIO device (But need a device driver)
- add "set speed sync"
o Fixing bug for Predictor-1 function.
o Add new parameter that re-sent interval for set timeout commands.
o Improving RTT (Round Trip Time) and reducing processor time.
- Previous Timer service was using polling, and now using
SIGALRM ;-)
- A 0.94beta2 will not work correctly....

-- Follows are additinal feature not including 0.94beta2
o Support Proxy ARP
- add "enable/disable proxy" commands
o Marging common routine in CHAP/PAP.
o Enhancing LCP/IPCP log information.
o Support local Authfication connection on port 300x and tty.
- You can set up pair of your "hostname -s" and
password in ppp.secret. if either ppp.secret file nor
your hostname line don't exist, It will notify a message
and working as same as previous version.(Backword compatibility)
- If you did set up them, It's allow connection but nothing to do
except help and passwd command.
- add "passwd yourpasswd" commands
o Support afilter - keep Alive filter that a packet can send/receiving
according to ifilter/ofilter but doesn't count it as preventing idle
timer expires.
- Same syntax of other filters.
o Fixing bugs reported by current user for previous one. Thanks !!

Reviewed by: Atsushi Murai (amurai@spec.co.jp)

This commit was generated by cvs2svn to compensate for changes in r6059,
which included commits to RCS files with non-trunk default branches.