MFC r326276:

various: general adoption of SPDX licensing ID tags.

Mainly focus on files that use BSD 2-Clause license, however the tool I
was using misidentified many licenses so this was mostly a manual - error
prone - task.

The Software Package Data Exchange (SPDX) group provides a specification
to make it easier for automated tools to detect and summarize well known
opensource licenses. We are gradually adopting the specification, noting
that the tags are considered only advisory and do not, in any way,
superceed or replace the license texts.

No functional change intended.

Copy head@r302406 to stable/11 as part of the 11.0-RELEASE cycle.
Prune svn:mergeinfo from the new branch, as nothing has been merged
here.

Additional commits post-branch will follow.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

Add a new option for ppp.conf: rad_port_id. It allows to
change the way of what ppp submits to the RADIUS server
as NAS-Port-Id. Possible options are: the PID of the process
owning the corresponding interface, tun(4) interface number,
interface index (as it would get returned by if_nametoindex(3)),
or it's possible to keep the default behavior. Check the ppp(8)
manual page for details.

PR: bin/112764
Submitted by: novel (myself)
Reviewed by: flz
Approved by: flz
MFC after: 1 month

Add a radius_Flush() function that waits for the response (or timeout) to
any pending RADIUS transaction. Use this before sending RAD_STOP RADIUS
messages so that we definitely ``stop'' the session.

It was discovered that sometimes when the link timed out, we got lucky
enough to have an un-ACK'd RADIUS accounting transaction in progress,
resulting in the RAD_STOP message failing to send.

Original report found on: A russion news group
Text translated by: glebius
Tested by: Alexey Popov llp at iteranet dot com
MFC after: 7 days

Support a ``set rad_alive N'' command to enable periodic RADIUS accounting
information being sent to the RADIUS server.

Logging of RADIUS accounting information moves to a ``set log [+-]radius''
level, along with the RADIUS alive info, and the version number is bumped
to 3.2 to reflect this.

Mostly submitted by: alx@sm.ukrtel.net (back in January)
MFC after: 3 weeks

name union.

IPV6PREFIX is set when Framed-IPv6-Prefix is defined, You may
want to pass the value to upper layer protocol such as DHCPv6
for prefix delegation.

MFC after: 1 week

Do RADIUS accounting on IPV6CP.

MFC after: 1 week

Oops, I put unused variable in my previous commit.

MFC after: 1 week

Install routes specified by Framed-IPv6-Route. Since the format
of Framed-IPv6-Route is user defined, it follows Framed-IP-route.

MFC after: 1 week

Compensate for dodgy Win98/WinME MSCHAPv2 responses later in the code
path... after we've talked to any RADIUS servers involved, so that we
haven't touched the data before it gets to the server.

Make it clearer in the code that this compensation is done by setting
a flag to a value of zero, a flag which rfc2759 says *MUST* be zero.

While we're here, don't bother passing the peer challenge into
radius_Authenticate(). It's already part of the key we're passing in
(this becomes obvious now that I've structured that data...).

This ``fix'' doesn't help to authenticate Win98/WinME users in my test
environment as ports/net/freeradius seems to ignore the flag
completely anyway, but it may help with other RADIUS servers.

Remove whitespace at the end of lines.

Understand the following Microsoft Vendor Specific RADIUS attributes:

RAD_MICROSOFT_MS_MPPE_ENCRYPTION_POLICY
RAD_MICROSOFT_MS_MPPE_ENCRYPTION_TYPES
RAD_MICROSOFT_MS_MPPE_RECV_KEY
RAD_MICROSOFT_MS_MPPE_SEND_KEY

These attributes may be supplied by a RADIUS server when MSCHAPv2 is
used to authenticate.

It *should* now be possible to build ppp with -DNODES and still support
CHAP/MSCHAP/MSCHAPv2/MPPE via a RADIUS server, but the code isn't yet
smart enough to do that (building with -DNODES just looses these
facilities).

Sponsored by: Monzoon

Handle MS-CHAPv2 authentication correctly via the RADIUS server (if it's
configured).
Handle internal failures in radius_Authenticate() correctly.
Bump the ppp version number.

This doesn't yet work with MPPE. More will follow.

Sponsored by: Mozoon

Add support for MS-CHAP authentication via a RADIUS server.
Add support for Reply-Message and MS-CHAP-Error.

Sponsored by: Monzoon

Understand the Session-Timeout RADIUS attribute
Store the Filter-Id attribute (we don't do anything with it yet)

Submitted mostly by: andrew pavlov <and@kremenchug.net>

Get tun P2P address from the local pool if RADIUS server returned
255.255.255.254 as client ipaddr.

Reviewed-By: freebsd-net mailing list

Don't assume challenges and responses don't contain embedded '\0's.

Mschapv2 response generation may produce embedded NULs... causing
us to send a bogus response to the radius server and end up
failing the client's valid response.

Problem pointed out by: Eugene Vigovskiy <vigov@com2com.ru>

MAXPATHLEN -> PATH_MAX
Don't assume MAXHOSTNAMELEN includes the NUL
Correct a diagnostic
Use "localhost" in our prompt instead of ""

Support radius accounting, and add a packet count to throughput
statistics as a side effect.

Submitted by: Marcin Cieslak <saper@system.pl>

with some tweaks to RAD_ACCT_SESSION_ID and
RAD_ACCT_MULTI_SESSION_ID generation by me.

To avoid namespace polution in NetBSD:

``struct descriptor'' -> ``struct fdescriptor''

$Id$ -> $FreeBSD$

Decouple pap & chap output routines from the corresponding
input routines and take advantage of the new init/continue
interface in libradius. This allows a timely response on
other links in an MP setup while RADIUS requests are in
progress as well as the ability to handle other data from
the peer in parallel. It should also make the future addition
of PAM support trivial.

While I'm in there, validate pap & chap header IDs if
``idcheck'' is enabled (the default) for other FSM packet
types.

NOTE: This involved integrating the generation of chap
challenges and the validation of chap responses
(and commenting what's going on in those routines).
I currently have no way of testing ppps ability
to respond to M$Chap CHALLENGEs correctly, so if
someone could do the honours, it'd be much
appreciated (it *looks* ok!).

Sponsored by: Internet Business Solutions Ltd., Switzerland

Initial RADIUS support (using libradius). See the man page for
details. Compiling with -DNORADIUS (the default for `release')
removes support.

TODO: The functionality in libradius::rad_send_request() needs
to be supplied as a set of routines so that ppp doesn't
have to wait indefinitely for the radius server(s). Instead,
we need to get a descriptor back, select() on the descriptor,
and ask libradius to service it when necessary.
For now, ppp blocks SIGALRM while in rad_send_request(), so
it misses PAP/CHAP retries & timeouts if they occur.

Only PAP is functional. When CHAP is attempted, libradius
complains that no User-Password has been specified... rfc2138
says that it *mustn't* be used for CHAP :-(

Sponsored by: Internet Business Solutions Ltd., Switzerland