Merge remote-tracking branch 'freeradius/v3.0.x' into tr-integ

Conflicts:
	raddb/sites-available/channel_bindings
	share/dictionary.ukerna
	src/include/tls-h
	src/main/realms.c
	src/modules/rlm_realm/all.mk
	src/modules/rlm_realm/rlm_realm.c

diff --cc raddb/sites-available/channel_bindings
index c3f7f43,8384329..cb0994b
--- 1/raddb/sites-available/channel_bindings
--- 2/raddb/sites-available/channel_bindings
+++ b/raddb/sites-available/channel_bindings
@@@ -10,11 -10,31 +10,10 @@@ server channel_bindings 
  #  Only the "authorize" section is needed.
  #
  authorize {
 -      if (&GSS-Acceptor-Service-Name && (&outer.request:GSS-Acceptor-Service-Name != &GSS-Acceptor-Service-Name)) {
 -              reject
 -      }
  
 -      if (&GSS-Acceptor-Service-Name || &GSS-Acceptor-Realm-Name || &GSS-Acceptor-Host-Name) {
 -              update control {
 -                      &Chbind-Response-Code := success
 -              }
 -
 -              #
 -              #  ACK the attributes in the request.
 -              #
 -              #  If any one of these attributes don't exist in the request,
 -              #  then they won't be copied to the reply.
 -              #
 -              update reply {
 -                      &GSS-Acceptor-Service-Name = &GSS-Acceptor-Service-Name
 -                      &GSS-Acceptor-Host-Name = &GSS-Acceptor-Host-Name
 -                      &GSS-Acceptor-Realm-Name = &GSS-Acceptor-Realm-Name
 -              }
 -      }
 -
 -      #
 -      #  Return "handled" so that the "authenticate" section isn't used.
 -      #
 -      handled
 -}
 +      #In general this section should include a policy for each type
 +      # of channel binding that may be in use.  For example each lower
 +      # layer such as GSS-EAP (RFC 7055) or IEEE 802.11I is likely to
 +      # need a separate channel binding policy.
 +      abfab_channel_bindings
  }
- }

diff --cc share/dictionary.ukerna
index f51389b,b4cf465..ebe1bcd
--- 1/share/dictionary.ukerna
--- 2/share/dictionary.ukerna
+++ b/share/dictionary.ukerna
@@@ -14,14 -14,7 +14,14 @@@ ATTRIBUTE   UKERNA-GSS-Acceptor-Service-N
  ATTRIBUTE     UKERNA-GSS-Acceptor-Host-Name           129     string
  ATTRIBUTE     UKERNA-GSS-Acceptor-Service-Specific    130     string
  ATTRIBUTE     UKERNA-GSS-Acceptor-Realm-Name          131     string
 -ATTRIBUTE     SAML-AAA-Assertion                      132     string
 -ATTRIBUTE     EAP-Channel-Binding-Message             135     octets
 +ATTRIBUTE     SAML-AAA-Assertion              132     string
 +ATTRIBUTE     MS-Windows-Auth-Data                    133     octets
 +ATTRIBUTE     MS-Windows-Group-Sid                    134     string
 +ATTRIBUTE     EAP-Channel-Binding-Message     135     octets
 +ATTRIBUTE     Trust-Router-COI        136     string
 +ATTRIBUTE     Trust-Router-APC        137     string
- attribute Moonshot-Host-TargetedId 138 string
- attribute  Moonshot-Realm-TargetedId 139 string
- attribute Moonshot-TR-COI-TargetedId 140 string
++ATTRIBUTE     Moonshot-Host-TargetedId        138     string
++ATTRIBUTE     Moonshot-Realm-TargetedId       139     string
++ATTRIBUTE     Moonshot-TR-COI-TargetedId      140     string
  
  END-VENDOR UKERNA

diff --cc src/include/realms.h
index 7ac6485,c30e55f..5246513
--- 1/src/include/realms.h
--- 2/src/include/realms.h
+++ b/src/include/realms.h
@@@ -159,9 -159,10 +159,11 @@@ int realms_init(CONF_SECTION *config)
  void realms_free(void);
  REALM *realm_find(char const *name); /* name is from a packet */
  REALM *realm_find2(char const *name); /* ... with name taken from realm_find */
+ void realm_home_server_sanitize(home_server_t *home, CONF_SECTION *cs);
  int realm_home_server_add(home_server_t *home, CONF_SECTION *cs, int dual);
 +void realm_home_server_sanitize( home_server_t *home, CONF_SECTION *cs);
  int realm_pool_add(home_pool_t *pool, CONF_SECTION *cs);
+ void realm_pool_free(home_pool_t *pool);
  int realm_realm_add( REALM *r, CONF_SECTION *cs);
  
  void home_server_update_request(home_server_t *home, REQUEST *request);

diff --cc src/main/listen.c
Simple merge

diff --cc src/main/process.c
Simple merge

diff --cc src/main/realms.c
index ff5756f,0245caa..5075ff1
--- 1/src/main/realms.c
--- 2/src/main/realms.c
+++ b/src/main/realms.c
@@@ -616,80 -700,7 +700,6 @@@ static int home_server_add(realm_config
        return realm_home_server_add(home, cs, dual);
  }
  
- void realm_home_server_sanitize(home_server_t *home,
-                               CONF_SECTION *cs)
- {
-       CONF_SECTION *parent = NULL;
-       FR_INTEGER_BOUND_CHECK("max_outstanding", home->max_outstanding, >=, 8);
-       FR_INTEGER_BOUND_CHECK("max_outstanding", home->max_outstanding, <=, 65536*16);
- 
-       FR_INTEGER_BOUND_CHECK("ping_interval", home->ping_interval, >=, 6);
-       FR_INTEGER_BOUND_CHECK("ping_interval", home->ping_interval, <=, 120);
- 
-       FR_TIMEVAL_BOUND_CHECK("response_window", &home->response_window, >=, 0, 1000);
-       FR_TIMEVAL_BOUND_CHECK("response_window", &home->response_window, <=, 60, 0);
-       FR_TIMEVAL_BOUND_CHECK("response_window", &home->response_window, <=,
-                              main_config.max_request_time, 0);
- 
-       FR_INTEGER_BOUND_CHECK("response_timeouts", home->max_response_timeouts, >=, 1);
-       FR_INTEGER_BOUND_CHECK("response_timeouts", home->max_response_timeouts, <=, 1000);
- 
-       /*
-        *      Track the minimum response window, so that we can
-        *      correctly set the timers in process.c
-        */
-       if (timercmp(&main_config.init_delay, &home->response_window, >)) {
-               main_config.init_delay = home->response_window;
-       }
- 
-       FR_INTEGER_BOUND_CHECK("zombie_period", home->zombie_period, >=, 1);
-       FR_INTEGER_BOUND_CHECK("zombie_period", home->zombie_period, <=, 120);
-       FR_INTEGER_BOUND_CHECK("zombie_period", home->zombie_period, >=, (uint32_t) home->response_window.tv_sec);
- 
-       FR_INTEGER_BOUND_CHECK("num_pings_to_alive", home->num_pings_to_alive, >=, 3);
-       FR_INTEGER_BOUND_CHECK("num_pings_to_alive", home->num_pings_to_alive, <=, 10);
- 
-       FR_INTEGER_BOUND_CHECK("check_timeout", home->ping_timeout, >=, 1);
-       FR_INTEGER_BOUND_CHECK("check_timeout", home->ping_timeout, <=, 10);
- 
-       FR_INTEGER_BOUND_CHECK("revive_interval", home->revive_interval, >=, 60);
-       FR_INTEGER_BOUND_CHECK("revive_interval", home->revive_interval, <=, 3600);
- 
- #ifdef WITH_COA
-       FR_INTEGER_BOUND_CHECK("coa_irt", home->coa_irt, >=, 1);
-       FR_INTEGER_BOUND_CHECK("coa_irt", home->coa_irt, <=, 5);
- 
-       FR_INTEGER_BOUND_CHECK("coa_mrc", home->coa_mrc, <=, 20);
- 
-       FR_INTEGER_BOUND_CHECK("coa_mrt", home->coa_mrt, <=, 30);
- 
-       FR_INTEGER_BOUND_CHECK("coa_mrd", home->coa_mrd, >=, 5);
-       FR_INTEGER_BOUND_CHECK("coa_mrd", home->coa_mrd, <=, 60);
- #endif
- 
-       FR_INTEGER_BOUND_CHECK("max_connections", home->limit.max_connections, <=, 1024);
- 
- #ifdef WITH_TCP
-       /*
-        *      UDP sockets can't be connection limited.
-        */
-       if (home->proto != IPPROTO_TCP) home->limit.max_connections = 0;
- #endif
- 
-       if ((home->limit.idle_timeout > 0) && (home->limit.idle_timeout < 5))
-               home->limit.idle_timeout = 5;
-       if ((home->limit.lifetime > 0) && (home->limit.lifetime < 5))
-               home->limit.lifetime = 5;
-       if ((home->limit.lifetime > 0) && (home->limit.idle_timeout > home->limit.lifetime))
-               home->limit.idle_timeout = 0;
- 
-       parent = cf_item_parent(cf_sectiontoitem(cs));
-       if (parent && strcmp(cf_section_name1(parent), "server") == 0) {
-               home->parent_server = cf_section_name2(parent);
-       }
- 
- }
--
  int realm_home_server_add(home_server_t *home, CONF_SECTION *cs, int dual)
  {
        const char *name2 = home->name;

diff --cc src/modules/rlm_realm/all.mk
index 1a1c7bd,c3b5332..15b6f7f
--- 1/src/modules/rlm_realm/all.mk
--- 2/src/modules/rlm_realm/all.mk
+++ b/src/modules/rlm_realm/all.mk
@@@ -1,3 -1,10 +1,11 @@@
  TARGET                := rlm_realm.a
- SOURCES               := rlm_realm.c trustrouter_integ.c
- TGT_LDLIBS    := -ltr_tid
+ SOURCES               := rlm_realm.c
+ 
+ #TRUSTROUTER  = yes
+ 
+ ifneq "$(TRUSTROUTER)" ""
+ SRC_CFLAGS    += -I /path/to/moonshot/include/ -D HAVE_TRUST_ROUTER_TR_DH_H
+ TGT_LDLIBS    += -ltr_tid
+ SOURCES               += trustrouter.c
+ endif
++

diff --cc src/modules/rlm_realm/rlm_realm.c
index d263b8b,f260460..2ebe23c
--- 1/src/modules/rlm_realm/rlm_realm.c
--- 2/src/modules/rlm_realm/rlm_realm.c
+++ b/src/modules/rlm_realm/rlm_realm.c
@@@ -36,14 -36,15 +36,16 @@@ typedef struct realm_config_t 
        char const      *delim;
        bool            ignore_default;
        bool            ignore_null;
-       char            const *default_community;
-       char            const *rp_realm;
-       char const              *trust_router;
-       unsigned int    tr_port;
 -
+ #ifdef HAVE_TRUST_ROUTER_TR_DH_H
+       char const      *default_community;
+       char const      *rp_realm;
+       char const      *trust_router;
+       uint32_t        tr_port;
+ #endif
  } realm_config_t;
  
 +#define stringify(s) #s
 +
  static CONF_PARSER module_config[] = {
    { "format", FR_CONF_OFFSET(PW_TYPE_STRING, realm_config_t, format_string), "suffix" },
    { "delimiter", FR_CONF_OFFSET(PW_TYPE_STRING, realm_config_t, delim), "@" },

diff --cc src/modules/rlm_realm/trustrouter.c
index 7223c58,8c216d3..eed935b
--- 1/src/modules/rlm_realm/trustrouter_integ.c
--- 2/src/modules/rlm_realm/trustrouter.c
+++ b/src/modules/rlm_realm/trustrouter.c
@@@ -293,37 -314,62 +314,62 @@@ static bool update_required(REALM cons
        const home_pool_t *pool;
        int i;
        const home_server_t *server;
-       time_t now = time(0);
-       if (!r->auth_pool)
-               return 0; /*not ours*/
+       time_t now = time(NULL);
+ 
+       /*
+        *      No pool.  Not our realm.
+        */
+       if (!r->auth_pool) return false;
+ 
        pool = r->auth_pool;
 -      for (i = 0; i < pool->num_home_servers; i++) {w
+ 
 +      for (i = 0; i < pool->num_home_servers; i++) {
                server = pool->servers[i];
-               if (server->cs)
-                       return 0; /*we didn't allocate this*/
-               if ((server->last_packet_recv > now+5)
-                   ||(server->last_failed_open > now+5))
-                       continue; /*nonsensical values*/
-               /*If any server has received a packet in the last 5 minutes then we don't need an update*/
-               if (now - server->last_packet_recv < 300)
-                       return 0;
-               /*If we haven't had a failed open to this server in the last 10 minutes, then try an open rather than an update*/
-               if (now - server->last_failed_open > 600)
-                       return 0;
+ 
+               /*
+                *      The realm was loaded from the configuration
+                *      files.
+                */
+               if (server->cs) return false;
+ 
+               /*
+                *      These values don't make sense.
+                */
+               if ((server->last_packet_recv > (now + 5)) || 
+                   (server->last_failed_open > (now + 5))) {
+                       continue;
+               }
+ 
+               /*
+                *      This server has received a packet in the last
+                *      5 minutes.  It doesn't need an update.
+                */
+               if ((now - server->last_packet_recv) < 300) {
+                       return false;
+               }
+ 
+               /*
+                *      If we've opened in the last 10 minutes, then
+                *      open rather than update.
+                */
+               if ((now - server->last_failed_open) > 600) {
+                       return false;
+               }
        }
-       return 1;
- }
  
+       return true;
+ }
  
+     
  
- REALM *tr_query_realm(const char *q_realm,
-                     const char  *q_community,
-                     const char *q_rprealm,
-                     const char *q_trustrouter,
-                     unsigned int q_trport)
+ REALM *tr_query_realm(char const *realm,
+                     char const  *community,
+                     char const *rprealm,
+                     char const *trustrouter,
+                     unsigned int port)
  {
        int conn = 0;
-       int rc;
+       int rcode;
        gss_ctx_id_t gssctx;
        struct resp_opaque cookie;