Wed Feb  5 23:00:52 MST 1997  Greg McGary  <gkm@eng.ascend.com>

	* protos.h, radiusd.c (debug_pair): Add prefix arg.
	* radius.h (PasswordType): replace PWD_SPECIAL & PWD_NORMAL with
 	PWD_TOKEN, PWD_UNIX, and PWD_RADIUS.  (AUTH_REQ): Add auth3rd.
	* radiusd.c (getUnixPwdType, getTokenPwdType): Removed.
 	(getPwdType): Added.  (decryptAuthPwd, print_passwd): Added.
  	(authDPIPwd, authChapToken, authChapPwd, authPapPwd,
 	safeword_eval, ace_eval, ace_next): Call decryptAuthPwd.
	
Thu Jan  9 16:38:11 MST 1997  Greg McGary  <gkm@eng.ascend.com>

	* radius.h: (AUTH_REQ): Added pipe_fd member.
	
	* radiusd.c: (ACE_CHILD, ace_init_children, sig_expire,
 	ace_alloc_child, ace_find_child, ace_auth_request, ace_forward,
 	ace_fork, radrecv): Removed.  (handle_radius_request,
 	maybe_retransmit, parse_authreq, dequeue_authreq, is_ace_request):
 	Added.  (free_authreq): Remove dequeuing code.  (authPapPwd):
 	Check for zero-length state before assuming it should be coerced
 	to be a dummy challenge. (forward_duplicate_request): Don't loop
	forever after killing an unresponsive child.
	
Wed Jan  1 05:08:49 MST 1997  Greg McGary  <gkm@eng.ascend.com>
	
	* radiusd.c (rad_spawn_child): Don't close wrCachefd or ipadfd in
 	child process.
	* cache.h: (LIST_DELETED) Added.
	* cache.c: (cache_search): Return HASHLIST pointer instead of
 	HASHVAL.  (cache_insert): Allow replacement of existing entry.
	(_hlist_search): Simplify code.

Tue Oct 29 14:22:06 EST 1996  Greg McGary  <gkm@eng.ascend.com>

	* radiusd.c (ace_fork): fix args to radrecv().  (main): setsockopt
 	on acctfd.
	* radiusd.c, conf.h, cache.c, radius.h, version.c: Add ifdefs for
 	FreeBSD.
	
Thu Oct 24 15:25:34 EDT 1996  Greg McGary  <gkm@eng.ascend.com>

	* radipad.c (daemonify): Added.

Wed Oct 23 18:26:19 EDT 1996  Greg McGary  <gkm@eng.ascend.com>

	* radiusd.c (rad_accounting): Free authreq properly.
	
Sun Oct 13 23:46:12 EDT 1996  Greg McGary  <gkm@eng.ascend.com>

	* radipad.c: Rename some BITMAP_ macros for clarity (replace `INT'
	with `WORD' so that it stands out better in contrast to `BIT').
 	(most_recent_hash_1, most_recent_hash_2, most_recent_hash_compare,
	find_most_recent, most_recent_compare, IP_ADDRESS_HASH_1,
	IP_ADDRESS_HASH_2): Added.  (init_hash_tables): init
	most_recent_table.  (allocate_from_chunk): improve variable names,
	add base_address arg.  (bitmap_set_first_zero): fix bug that
	allocated from beyond the end of a full chunk.
 	(allocate_ip_address): implement round-robin allocation.

	* radiusd.c (send_answer): Added.  (insert_response_md5_digest):
	renamed from append_response_md5_digest.  (make_send_buffer):
	(renamed from prepare_send_buffer) malloc the send buffer so we
	can keep a copy of the response for every outstanding request.
 	(send_accounting_response, send_reject, send_challenge, send_pwack,
	send_pwexpired, send_accept, send_nextcode, forward_radipad_response):
	call send_answer. (forward_duplicate_request): (formerly
	discard_duplicate_request) when duplicate requests arrive discard
	if we don't have a response yet, and retransmit our response if we
	do.  (rad_spawn_child): remove unused activefd arg.

	* acct.c (send_acct_reply): rewrite to use make_send_buffer,
	append_response_md5_digest, send_answer.
	
	* radipa.c (radipa_receive_response, radipa_allocate_ip_address,
	radipa_release_ip_address): added inside #ifdef TESTING.  (debugf,
	log_err): add stdarg support in addition to varargs.
	
	* radius.h: (AUTH_REQ): Added answer and answer_length members for
 	stashing retransmittable response.
	
	* users.c, radiusd.c, md5.c: rename `sin', `idle', `link' and
 	`index' to avoid shadowning global libc symbols of the same name.
	
	* usr_read.c: (warn) add stdarg support in addition to varargs.
	
	* acct.c: move contents into radiusd.c and remove.
	
	* version.c: update VERSION macro.
	
Thu Sep 19 14:40:48 EDT 1996  Greg McGary  <gkm@eng.ascend.com>

	* strerror.c: Added.

	* Makefile: Added missing .c.o rules.  Added strerror.o to
	builds of radiusd and radipad.  Split CFLAGS lines for Solaris
	2.[1-4] and 2.5, differing by -D_SVID_GETTOD

	* cache.h, md5.h, protos.h: Added guards against
 	multiple-inclusion.

	* cache.h: get definition of P__ from conf.h.

	* conf.h: include <sys/types.h> before <machine/inline.h> for BSDI.

	* hash.h, hash.c: Move include of conf.h from hash.c to hash.h

	* md5.h, md5.c: Use prototype macros from conf.h.

	* protos.h, radiusd.h, radipad.h: conditionally use old-style
	varargs or STDC's stdarg for variable length argument lists.

	* radipa.c (radipa_init): radipa_parse_hosts is now handed a
 	buffer so that they don't malloc one for us.  That way we don't
 	have to be responsible for freeing anything.
  	(radipa_parse_hosts, radipa_parse_pool): user_find, which might
 	fail, is now called before allocating any memory.
	
	* users.c: fetch_user_data bug is fixed so that it no longer tries
 	a redundant close on a (FILE *) that's been NULL'ed out.
	
Tue Sep  3 00:11:59 EDT 1996  Greg McGary  <gkm@eng.ascend.com>

	* New Features: Authentication via Digital Pathways Defender.
	IP Address allocation from global pools managed by RADIUS.
	
	* Makefile: add radipad target & Digital Pathways libraries.

	* conf.h: moved definitions of P__ and CONST here from protos.h
	
	* acct.c, dict.c, filters.c, protos.h, radius.h, radiusd.c,
	users.c, util.c: added CONST keyword in numerous places.

	* radius.h (AUTH_STRING_LEN): Shortened to 253, so length will
 	never exceed 255.  (PW_ASCEND_RADIPA_ALLOCATE,
 	PW_ASCEND_RADIPA_RELEASE, ASCEND_ASSIGN_IP_CLIENT,
 	ASCEND_ASSIGN_IP_SERVER, ASCEND_ASSIGN_IP_GLOBAL_POOL,
	ASCEND_ASSIGN_IP_POOL, ASCEND_IP_POOL_DEFINITION): Added.
	
	* radiusd.c (authResults): Added enumerators DPI_FAILED,
 	DPI_PASSED. (free_authreq, discard_duplicate_request,
 	handle_radipa_response, forward_radipad_response, get_user_name,
 	get_user_values, maybe_init_radipa,
 	allocate_ip_address_from_global_pool,
 	release_ip_address_to_global_pool, get_router_address,
 	get_framed_address, remote_sockaddr, append_response_md5_digest,
 	append_user_message, prepare_send_buffer): Added.  (send_nextcode,
 	send_accept, send_pwack, send_pwexpired, send_challenge,
 	rad_authenticate, send_accounting_response, dpi_readcfg, cfg_key,
 	cfg_str, cfg_int, dpi_init, dpi_read, dpi_challenge, dpi_notify,
 	authDPIPwd): Call remote_sockaddr, append_response_md5_digest,
 	append_user_message, and prepare_send_buffer.  (cut_attribute):
 	Revise arglist.
	
	* users.c (make_pair): Added.

	* radipa.h, radipa.c, radipad.c, hash.h, hash.c: Added.
	
Fri May 24 16:27:03 EDT 1996  Greg McGary  <gkm@eng.ascend.com>

	* New Features: Now supports multi-threaded operation with ACE
 	token card authentication.

	* protos.h (debugf, ace_init_children, ace_forward,
 	ace_find_child, ace_alloc_child, sig_expire, ace_fork):
 	Added. (log_err):  Handle varargs.

	* radiusd.c (debugf, vdebugf): Added--prefixes debug log
 	entries with timestamp and pid. (log_err): Change interface to be
 	printf-like with varargs. (ace_init_children, ace_forward,
 	ace_find_child, ace_alloc_child, sig_expire, ace_fork): Added.
	(copyValuePair): Fixed to return a value.

	* acct.c, builddbm.c, filters.c, radiusd.c: Use new log_err
	interface instead of sprintf+log_err.

	* users.c (fetch_user_data, fieldequ, fieldskip, user_wants_ace):
 	Added.  (parse_record, user_find):  Close userfd in caller.

	* usr_read.c (warn): Change interface to be printf-like with
 	varargs. (user_read): Use new warn interface instead of
	sprintf+warn.
	
Tue May  7 18:04:04 PDT 1996 Bill Alsup <balsup@ascend.com>

	New features
	o The Ascend-PW-Expiration token, if present, is now 
	  transmitted back to the NAS.  

Fri Feb 16 14:48:00 PST 1996 Ron Chu <rchu@ascend.com>

	New features
	o Example program, "cexample", to send disconnect or
	  change filter requests to server.  Documentation
	  on installation and usage in README.cexample.

Fri Jan 12 15:09:14 PST 1996 Joel L Wittenberg   <joelw@ascend.com>

	New features
	o Added support for long (up to 252 character) passwords.
	  This was mostly already present (added when long username
	  support was added), but it had not been verified to be
	  completely functional. Available only for PAP passwords.

Thur Jan 11 10:45  1996  Venant DeSouza <venant@ascend.com>

     	New features
	- Now supports ARA logins.
  
Wed Dec 20 12:39:06 1995  Joel L Wittenberg   <joelw@ascend.com>

	New features:
	o Supports long (up to 252 characters) names (uncached)
	o Generic Filters with NotEqual comparisons
	o ACE Token Authentication of multiple users behind a single
	  remote router.
	o Accounting disable or restriction to /etc/service entry.
	o Token-Immediate mode for SafeWord (no challenge)

	* cache.c
	o Enforce key and value length limit (16)

	* builddbm.c
	  Syntax fix for _old_ compilers
	
	* radiusd.c
	o multiple token users authentication
	o Accounting mode selection
	o Long user names
	o Syntax fix for _old_ compilers

	* users.c, usr_read.c
	o Long user names
	o Syntax fix for _old_ compilers

	* filters.c
	o Generic filter NotEqual comparisons

	* radius.h
	o Long user names
	o Generic filter NotEqual comparisons

	* md5.h
	o Syntax fix for _old_ compilers


Fri Oct 20 13:19:49 1995  Joel L Wittenberg   <joelw@ascend.com>

	Added new features:
	o Support for Safeword token authentication where the user inputs
	  a <dynamic,fixed> password; the dynamic portion is used as
	  usual, and the fixed portion is delivered to Safeword in the
	  fixed password field.
	o Support for "Token-Immediate" mode; this allows Ace token
	  authentication without a challenge; the given password is
	  assumed to be the fully-formed dynamic password and it is
	  presented to the Ace server for authentication as-is. This is
	  available only with PAP authentication (i.e., PAP
	  router-to-router, or modem dial-in).
	o Support for "Token-Idle" token caching. This adds an additional
	  requirement for cached tokens: the idle time must not have
	  elapsed. Idle times are set when a token is initially inserted
	  into the cache, and are updated whenever a cache hit occurs.
	  Idle time-out causes the token to be deleted from the cache upon
	  the next access.

	* cache.h, cache.c
	o Added Token Idling

	* radiusd.c
	o Added Token Idling
	o Added Token Immediate
	o Added <dynamic,fixed> password parsing

	* version.c
	o new version date


Fri Oct 08 02:37:12 1995  Joel L Wittenberg   <joelw@ascend.com>

	Combined the ANSI and K&R code versions into a single version.
	This greatly eases the maintenance burden, and makes it easier
	for end-users to decide which code set to compile (since there is
	now only one code set :-). The downside is that function
	definitions are all old-style (macros to convert to the
	appropriate definition style are just too ugly to live with). This
	means that if you set an ANSI compiler to full-whine mode it will
	complain about every function definition; c'est la vie.

	Now supports token passwords with CHAP (MD5) encryption and with
	token caching.

	* radiusd.c
	o Support token passwords with MD5 encryption.
	o Support MD5 token caching (use -c option to enable token
	  caching)
	o Changed attribute list handling mechanism
	o General cleanup and modularisation

	* cache.c, cache.h
	o Cache passwords

	* version.c
	o new version date

	* ALL
	o Converted to unified K&R/ANSI format

Fri Sep 08 02:37:12 1995  Joel L Wittenberg   <joelw@ascend.com>

	This version supports password ageing and changing (based on the
	existing mechanism, but somewhat different). "Special" passwords
	may not be changed.

	* dict.c
	o return distinct error codes
	o initialise the global dictionary_{attributes, values} vars.

	* radius.h
	o Added PasswordType enum, new attributes, value names, and types.
	o Added size field to VALUE_PAIR struct
	o Added many more error codes and messages

	* radiusd.c
	o Started conditionalising debug code which emits passwords to
	  provide finer grained control over debug
	o Improved error code to messages handling
	o Added flag to allow/prohibit password changing
	o Modified password changing:
		- variable length encrypted passwords
		- can't change 'special' passwords
	o Added returning password expired packet type
	o Global and per-user expiration values
	o Authenticates incoming accounting requests, this was inexplicably
	  left out of the previous release.
	
	* users.c
	o return distinct error codes
	o Better date parsing

	* usr_read.c
	o return distinct error codes

	* version.c
	o new version date

Tue Aug 15 02:29:20 1995  Joel L Wittenberg   <joelw@ascend.com>

	* appsrvr.c:
	o Add support for operation without IP addresses

	* radiusd.c:
	o Fix for core dump when unkown error code is returned.
	o Security changes.

Tue Jul 25 01:12:16 1995  Marco S Hyman  <marc@turkey.Ascend.COM>

	* ascendd/Makefile: Add -DASCEND_SECRET to CFLAGS

	* ascendd/radius.h: Define the two attributes that will be
	encrypted in response packets when using ASCEND_SECRET.

	* ascendd/radiusd.c: Add support for encryptions of send and
	receive passwords sent to the NAS for outdial and PAP-TOKEN-CHAP
	support.

	* ascendd/version.c: Bump release date and display ASCEND_SECRET
	if compiled with that option.

	* ascendd-ansi: Apply same patches applied to the non-ansi
	version.

	* all files: Precede the Ascend SCCS id with "ASCEND:"

Mon Jul 11 16:20:13 1995  Joel L Wittenberg <joelw@ascend.com>

	* radiusd.c:
	o Better error messages for database parse errors.
	o Simultaneous support for original radius accounting and for Ascend
	  logout accounting.
	o Check /etc/services for radacct service definition
	o Fixed failure to use network byte order when responding to
	  Ascend logout accounting requests.
	o New flag ("-w") for database warning messages concerning improper
	  user file format. In all cases radiusd will attempt to correct for
	  any file format errors.
	
	* radius.h:
	o Changed definition of srcip and dstip addresses in struct
	  RadIpFilter to be of type UINT4 - this should make the code work
	  on hosts with 8 byte longs, e.g., ALPHA machines.

	* users.c:
	o Abstracted open and closing user database files so that knowledge
	  of DBM or flat file usage is localised.
	o DBM and flat file scanning is now identical. File scanning and
	  parsing attempts to detect, correct, and optionally warn about
	  many file format problems. A variety of bugs have been fixed.
	
	* builddbm.c:
	o Added options: can now specify the directory for the users file,
	  the name of the users file, dump of the records entered into the
	  database, warning messages to stdout rather than stderr (useful
	  when redirecting all output to a single file).
	o Uses same function to scan users file as radius does in flat
	  file mode - ensures consistency between DBM and non-DBM daemons.
	  Uses this function to create the DBM version of the database.
	o In addition to the format checking the common scanner performs,
	  builddbm now checks for and ignores duplicate entries in the users
	  file (and optionally warns the user).
	  
	* usr_read.c:
	o New file: contains the scanner used by both the flat file and
	  DBM programs to retrieve records from the flat file.

	* builddbm.1, users-file-syntax.1
	o New documentation on builddbm and the syntax of the users file.


Thu Jun 15 12:50:48 1995  Joel L Wittenberg <joelw@ascend.com>

	* radiusd.c:
	Added additional function prototypes for token security cards.
	When run in spawning mode and using the ACE authentication server,
	if ACE returns a NEXTCODE request Radius will now deliver this to
	the Pipeline, but with a cautionary message to see the sysadmin;
	if in single-threaded mode, it appends a message which tells the
	user to not include the PIN with the nextcode.  Previously (950530)
	no messages were appended for NEXTCODE, and if in multi-threaded
	mode Radius would simply return AUTH_FAILURE. The new behaviour is
	intended to help users understand what is happening.

	* ANSI version (ascendd-ansi):
	New include file 'protos.h' which most C files now include;
	some files which are self-contained have function prototypes
	in-line.  Passes Sun's C compiler with -v -fb -Xc, which is
	pretty picky.

	* Note that compiling this code on a machine/compiler combination
	which has 64-bit longs (e.g., ALPHA) will result in incompatible
	representations on the line. If possible, tell the compiler to use
	32-bit longs.


Tue May 30 14:40:20 1995  Joel L Wittenberg <joelw@ascend.com>

	* radiusd.c:
	Added code to process Security Dynamics' NEXT_PASSCODE
	authentication result; this results in another pass
	through all the systems to prompt for and retrieve the
	next passcode from the users' token.  Due to implementation
	oddities in the SD libraries, this will not work at all unless
	you start the radius daemon single-threaded, ie., 'radiusd -s'
	and even then it is essentially broken - if ANY other SD
	request is processed after SD returns the NEXT_PASSCODE result
	and before the next passcode from the user is actually presented
	to SD, then that intervening SD authentication request will fail
	and it will also cause the next passcode response to fail when it
	does arrive.  This is not useful behaviour.

	Also added code to support Security Dynamics' NEW_PIN
	authentication result; this code is not finished and is not
	functional. When it is finished it will suffer from the same
	restrictions as NEXT_PASSCODE, for the same reasons.

	* radius.h: Added define of PW_NEXT_PASSCODE.


Mon May 29 21:23:35 1995  Marco S Hyman  <marc@dumbcat.sf.ca.us>

	* radiusd.c (send_accept): Proper processing of filter attributes
	when building response packet.

	* attrprint.c: Handle printing of filter (abinary) attributes.

Sat Apr 15 13:46:45 1995  Marco S Hyman  <marc@dumbcat.sf.ca.us>

	* Changes to convert reference RADIUS daemon version 1.16
	to the Ascend version that supports binary filters, Ascend
	logout, SafeWord and ACE external authentication servers.

	* Makefile: More comments.  Add definitions required for
	the external authentication servers.  Add filters.o.

	* acct.c: Add void return type to public functions.

	* attrprint.c: Add void return type to public functions.

	* dict.c: Add support fo the 'abinary' data type for Ascend
	filters.

	* filters.c: New file to support Ascend filters.

	* md5.c: Add void return type to md5_calc.

	* radius.h: Change AUTH_STRING_LEN from 128 to 254 since
	that's the largest value we can process.  Add binary filter
	and related definitions.

	* radiusd.c: Enigma Logic SafeWord and Security Dynamics ACE
	support added.  Binary filters.  Ascend logout.  Removed
	Livingston challenge test code.

	* radpass.c: Add void return types.

	* users.c: On stack value string bumped from 64 to 256.  Support
	for binary filters.

	* util.c: Add return types to public functions.

	* version.c: Add "(plus Ascend extensions)" to version display.
	Add BINARY_FILTERS, ASCEND_LOGOUT, SafeWord, and ACE to compile
	time option display.
