Arran Cudbard-Bell [Fri, 10 Apr 2015 05:16:32 +0000 (01:16 -0400)]
Formatting
Arran Cudbard-Bell [Fri, 10 Apr 2015 04:39:10 +0000 (00:39 -0400)]
Can't define an unknown attribute with TMPL_TYPE_DATA...
Arran Cudbard-Bell [Fri, 10 Apr 2015 03:52:34 +0000 (23:52 -0400)]
Fixup docs for tmpl_afrom_attr_substr
Arran Cudbard-Bell [Fri, 10 Apr 2015 00:50:31 +0000 (20:50 -0400)]
Need to set new rhs->name len
Arran Cudbard-Bell [Fri, 10 Apr 2015 00:50:13 +0000 (20:50 -0400)]
Use the same reverse goto on error as everywhere else...
Alan T. DeKok [Fri, 10 Apr 2015 01:00:14 +0000 (21:00 -0400)]
Call map_cast_from_hex only for unknown attrs. Addresses #952
Alan T. DeKok [Fri, 10 Apr 2015 00:01:19 +0000 (20:01 -0400)]
whitespace
Alan T. DeKok [Fri, 10 Apr 2015 00:00:26 +0000 (20:00 -0400)]
Fail if there's no Cleartext-Password
Arran Cudbard-Bell [Thu, 9 Apr 2015 23:05:31 +0000 (19:05 -0400)]
Fix for gcc
Arran Cudbard-Bell [Thu, 9 Apr 2015 22:54:33 +0000 (18:54 -0400)]
bstrndup and bstrncpy are probably better names
Arran Cudbard-Bell [Thu, 9 Apr 2015 22:15:10 +0000 (18:15 -0400)]
TALLOC_CTX not always available
Arran Cudbard-Bell [Thu, 9 Apr 2015 21:24:11 +0000 (17:24 -0400)]
Fixup a bunch of bad calls to talloc_memdup
The bulk of these either copied len + 1 (which is wrong, as we can't guarantee the next byte is \0 or is a valid address) or were used in places, where the duped buffer may have been expected to be \0 terminated.
Alan T. DeKok [Thu, 9 Apr 2015 14:41:31 +0000 (10:41 -0400)]
Fix for last few commits
The TLS attrs are strings, so we don't need VALUEs
Alan T. DeKok [Thu, 9 Apr 2015 14:24:18 +0000 (10:24 -0400)]
Define named value. We probably want to define more later..
Alan T. DeKok [Thu, 9 Apr 2015 14:22:48 +0000 (10:22 -0400)]
Mash name spaces to dashes, too
Alan T. DeKok [Thu, 9 Apr 2015 14:20:30 +0000 (10:20 -0400)]
Fix error message
Alan T. DeKok [Thu, 9 Apr 2015 13:59:48 +0000 (09:59 -0400)]
Remove extraneous "+ 16"
Alan T. DeKok [Wed, 8 Apr 2015 16:23:50 +0000 (12:23 -0400)]
make client certs available for TLS application data packets
i.e. PEAP and TTLS. But only when there's a client certificate,
AND EAP-TLS-Require-Client-Certificate = 1
Alan T. DeKok [Wed, 8 Apr 2015 15:47:25 +0000 (11:47 -0400)]
Note TLS issues
Alan T. DeKok [Wed, 8 Apr 2015 15:44:22 +0000 (11:44 -0400)]
On TLS success, add the certs to the request
So that they can be used in post-auth processing.
Alan T. DeKok [Wed, 8 Apr 2015 15:43:48 +0000 (11:43 -0400)]
The cert attributes are NOT added to the request.
They're added to the TLS session data. Don't confuse the user.
Arran Cudbard-Bell [Wed, 8 Apr 2015 15:29:49 +0000 (11:29 -0400)]
Apparently older versions of doxygen don't appreciate attributes before the function definition
Arran Cudbard-Bell [Wed, 8 Apr 2015 15:13:24 +0000 (11:13 -0400)]
Doxygen fixups
Arran Cudbard-Bell [Wed, 8 Apr 2015 00:46:12 +0000 (20:46 -0400)]
Typo in comment
Arran Cudbard-Bell [Tue, 7 Apr 2015 00:49:33 +0000 (20:49 -0400)]
Escape log filenames correctly in vradlog_request
Arran Cudbard-Bell [Mon, 6 Apr 2015 18:23:52 +0000 (14:23 -0400)]
Doxygen
Arran Cudbard-Bell [Mon, 6 Apr 2015 16:36:41 +0000 (12:36 -0400)]
Install doxygen
Alan T. DeKok [Sun, 5 Apr 2015 13:58:23 +0000 (09:58 -0400)]
note recent changes
Alan T. DeKok [Sun, 5 Apr 2015 13:56:44 +0000 (09:56 -0400)]
Better name for variable
Alan T. DeKok [Sat, 4 Apr 2015 21:57:53 +0000 (17:57 -0400)]
Fix for redundant-load-balance. Closes #945
In normal operations, modcall_child / modcall_recurse processes
the current node, and all of its children. For redundant-load-balance,
we want to loop BACK from the end of the list to the start, AND
stop when we reach the first one we found again.
This means we have to tell the functions "process ONE node only",
and do all "next" operations ourselves.
Alan T. DeKok [Sat, 4 Apr 2015 20:38:54 +0000 (16:38 -0400)]
Remove redundant open brace
Alan T. DeKok [Sat, 4 Apr 2015 20:34:26 +0000 (16:34 -0400)]
Revert "Loop over COUNT entries. Maybe addresses #945"
Nope.
This reverts commit
e774cb6ff53032a632957e57c06a5939bb26e5f5.
Alan T. DeKok [Fri, 3 Apr 2015 00:36:50 +0000 (20:36 -0400)]
More checks on identity
Alan T. DeKok [Fri, 3 Apr 2015 00:32:03 +0000 (20:32 -0400)]
Limit identity length
Alan T. DeKok [Thu, 2 Apr 2015 23:40:56 +0000 (19:40 -0400)]
Allow EAP-MSCHAPv2 to have configurable server identity. Fixes #932.
We don't allow this to be dynamically expanded. It's just easier.
Alan T. DeKok [Wed, 1 Apr 2015 17:49:22 +0000 (13:49 -0400)]
added VALUEs
Alan T. DeKok [Wed, 1 Apr 2015 17:34:19 +0000 (13:34 -0400)]
Added from RFC which has numbers assigned
Alan T. DeKok [Wed, 1 Apr 2015 16:08:30 +0000 (12:08 -0400)]
Warning for old config
Alan T. DeKok [Wed, 1 Apr 2015 15:13:56 +0000 (11:13 -0400)]
Fix cppcheck complaint
Alan T. DeKok [Wed, 1 Apr 2015 14:36:50 +0000 (10:36 -0400)]
Update proxy docs for TLS
Alan T. DeKok [Wed, 1 Apr 2015 14:32:45 +0000 (10:32 -0400)]
Remove bad free
Alan T. DeKok [Wed, 1 Apr 2015 12:57:15 +0000 (08:57 -0400)]
Loop over COUNT entries. Maybe addresses #945
Alan T. DeKok [Wed, 1 Apr 2015 12:30:04 +0000 (08:30 -0400)]
Revert "Unlock file while waiting for the DB"
This reverts commit
a91017d3c391093493757cd4651a455770c4c8c1.
it's better for the server to do this in exfile.c
Alan T. DeKok [Wed, 1 Apr 2015 12:28:26 +0000 (08:28 -0400)]
Try 3 times to lock it. If it fails, return an error
Alan T. DeKok [Wed, 1 Apr 2015 12:17:05 +0000 (08:17 -0400)]
Create correctly formatted session cache entries
Alan T. DeKok [Tue, 31 Mar 2015 21:18:48 +0000 (17:18 -0400)]
Complain if stupid people disable all TLS versions
Alan DeKok [Wed, 1 Apr 2015 12:02:22 +0000 (08:02 -0400)]
Merge pull request #946 from mcnewton/pr2
Small elasticsearch fixups
Matthew Newton [Wed, 1 Apr 2015 11:41:48 +0000 (12:41 +0100)]
Small elasticsearch fixups
Arran Cudbard-Bell [Tue, 31 Mar 2015 22:16:10 +0000 (18:16 -0400)]
Merge pull request #944 from mcnewton/pr
logstash/elasticsearch config for detail file analysis
Matthew Newton [Tue, 31 Mar 2015 21:48:26 +0000 (22:48 +0100)]
Add example elasticsearch/logstash config for detail files
Matthew Newton [Tue, 31 Mar 2015 21:45:33 +0000 (22:45 +0100)]
Tidy documentation formatting/whitespace
Arran Cudbard-Bell [Tue, 31 Mar 2015 21:39:02 +0000 (17:39 -0400)]
Servers are freed individually on server exit, so can't be parented off of the client
Alan T. DeKok [Tue, 31 Mar 2015 20:59:03 +0000 (16:59 -0400)]
note recent changes
Alan T. DeKok [Tue, 31 Mar 2015 20:57:49 +0000 (16:57 -0400)]
Warn on use of expanded EAP types
Alan T. DeKok [Tue, 31 Mar 2015 20:45:46 +0000 (16:45 -0400)]
Convert expanded EAP to normal EAP
Alan T. DeKok [Tue, 31 Mar 2015 19:58:29 +0000 (15:58 -0400)]
First stab at supporting Expanded Type EAP packets
Only for vendor 0 (IETF). And only for known EAP types.
Untested, so it's ifdef'd out. Once it's tested, we can enable
it.
Alan T. DeKok [Tue, 31 Mar 2015 19:16:33 +0000 (15:16 -0400)]
Only call tr_init if trust router is configured
And only call "get realm" on the same conditions
Alan T. DeKok [Tue, 31 Mar 2015 17:39:20 +0000 (13:39 -0400)]
Fail safely if there's no trust router
Alan T. DeKok [Tue, 31 Mar 2015 16:35:20 +0000 (12:35 -0400)]
Be a bit more careful about locking files
We try to lock it non-blocking. If fail, close the file,
re-open it, and try to lock it again.
This lets us catch the corner case of the reader re-naming the
file after we opened it, locking it, and trying again.
Alan T. DeKok [Tue, 31 Mar 2015 15:50:55 +0000 (11:50 -0400)]
Unlock file while waiting for the DB
Otherwise the server might block forever waiting for our lock
to be released
Alan T. DeKok [Tue, 31 Mar 2015 15:36:28 +0000 (11:36 -0400)]
Remove unnecessary comment
Arran Cudbard-Bell [Tue, 31 Mar 2015 16:24:51 +0000 (12:24 -0400)]
Add version strings for TLS 1.1, 1.2 and 1.3
Arran Cudbard-Bell [Tue, 31 Mar 2015 16:14:59 +0000 (12:14 -0400)]
Update ChangeLog
Arran Cudbard-Bell [Tue, 31 Mar 2015 15:25:29 +0000 (11:25 -0400)]
Re-enable TLS 1.2 by default
Arran Cudbard-Bell [Tue, 31 Mar 2015 14:50:06 +0000 (10:50 -0400)]
Typos
Arran Cudbard-Bell [Tue, 31 Mar 2015 14:38:51 +0000 (10:38 -0400)]
Use SSL_export_keying_material if available. This generates keys using the correct PRF with TLS 1.2
Alan T. DeKok [Tue, 31 Mar 2015 13:59:22 +0000 (09:59 -0400)]
note recent changes
Alan T. DeKok [Tue, 31 Mar 2015 13:57:41 +0000 (09:57 -0400)]
Allow disabling of tlsv1
Alan T. DeKok [Tue, 31 Mar 2015 13:14:55 +0000 (09:14 -0400)]
Stop on no next entry
Alan T. DeKok [Tue, 31 Mar 2015 13:14:41 +0000 (09:14 -0400)]
Fix compilation errors
Alan T. DeKok [Tue, 31 Mar 2015 02:46:24 +0000 (22:46 -0400)]
Update for 3.0.8
Alan T. DeKok [Tue, 31 Mar 2015 02:46:12 +0000 (22:46 -0400)]
Comments
Alan T. DeKok [Mon, 30 Mar 2015 17:59:53 +0000 (13:59 -0400)]
Don't use 2 names for the same thing
Arran Cudbard-Bell [Tue, 31 Mar 2015 00:25:11 +0000 (20:25 -0400)]
Merge pull request #931 from nchaigne/3.0.x-fb4-rc
radeapclient - eap context struct
Arran Cudbard-Bell [Mon, 30 Mar 2015 22:01:06 +0000 (18:01 -0400)]
New travis apt plugin config structure
Arran Cudbard-Bell [Mon, 30 Mar 2015 21:40:16 +0000 (17:40 -0400)]
Disable TLS 1.2 by default. Causes MPPE key mismatches with eapol_test.
Arran Cudbard-Bell [Mon, 30 Mar 2015 16:38:32 +0000 (12:38 -0400)]
Print the attributes EAP-TLS extension attribute we're not going to add
Alan T. DeKok [Sun, 29 Mar 2015 19:55:05 +0000 (15:55 -0400)]
Note recent changes
Alan T. DeKok [Sun, 29 Mar 2015 19:48:16 +0000 (15:48 -0400)]
Remove references to ${certdir}/random, and replace with /dev/urandom
Arran Cudbard-Bell [Sun, 29 Mar 2015 14:37:53 +0000 (10:37 -0400)]
Another analyzer error
Arran Cudbard-Bell [Sun, 29 Mar 2015 14:36:08 +0000 (10:36 -0400)]
Build doxygen docs
Arran Cudbard-Bell [Sun, 29 Mar 2015 14:19:48 +0000 (10:19 -0400)]
Clang scan analyzer errors
Arran Cudbard-Bell [Sun, 29 Mar 2015 03:56:35 +0000 (23:56 -0400)]
Fail on scan errors
Arran Cudbard-Bell [Sun, 29 Mar 2015 02:41:02 +0000 (22:41 -0400)]
Doxygen
Arran Cudbard-Bell [Sun, 22 Mar 2015 01:49:01 +0000 (21:49 -0400)]
Attempt to move to travis container infrastructure
Seeing as the linux build farm is currently maxed out at 320 concurrent builds
Alan T. DeKok [Sat, 28 Mar 2015 21:55:38 +0000 (16:55 -0500)]
Initialize raddb_dir, too
Alan T. DeKok [Fri, 27 Mar 2015 17:30:50 +0000 (12:30 -0500)]
note recent changes
Alan T. DeKok [Fri, 27 Mar 2015 17:26:39 +0000 (12:26 -0500)]
Set "nodup" for DHCP sockets
Alan T. DeKok [Fri, 27 Mar 2015 17:16:36 +0000 (12:16 -0500)]
Simplify cleanup logic.
Debug the packet prior to sending it. Do cleanup_delay on
RADIUS Access-Requests and CoA packets. Everything else gets
cleaned up immediately.
Alan T. DeKok [Fri, 27 Mar 2015 17:06:40 +0000 (12:06 -0500)]
Cleanup DHCP packets immediately
Alan T. DeKok [Fri, 27 Mar 2015 16:10:48 +0000 (11:10 -0500)]
No comment in comment issues
Alan T. DeKok [Fri, 27 Mar 2015 15:41:52 +0000 (10:41 -0500)]
Set dict_dir
Alan T. DeKok [Fri, 27 Mar 2015 13:37:05 +0000 (08:37 -0500)]
Better fix for previous commit
Matthew Newton [Thu, 26 Mar 2015 22:35:27 +0000 (22:35 +0000)]
Improve errors on winbind authentication failure
This is very nice, as Samba gives us useful messages like
Wrong Password [0xC000006A]
Account expired [0xC0000193]
Must change password [0xC0000224]
Account locked out [0xC0000234]
when the authentication fails, which are then pushed into
Module-Failure-Message so the admin knows exactly what happened.
This also now handles password expiry so mschap returns the
"change password" trigger.
Alan T. DeKok [Fri, 27 Mar 2015 13:33:24 +0000 (08:33 -0500)]
note recent changes
Alan T. DeKok [Fri, 27 Mar 2015 13:30:35 +0000 (08:30 -0500)]
Add -D to radwho and radzap
Arran Cudbard-Bell [Fri, 27 Mar 2015 13:09:31 +0000 (09:09 -0400)]
Minor formatting in tls.c
Arran Cudbard-Bell [Fri, 27 Mar 2015 05:48:29 +0000 (01:48 -0400)]
Don't crash when using the NULL driver in select queries
Arran Cudbard-Bell [Fri, 27 Mar 2015 12:31:59 +0000 (08:31 -0400)]
Merge pull request #940 from nchaigne/3.0.x-fb5-fqdn
DHCP-Client-FQDN is not a string
Nicolas C [Fri, 27 Mar 2015 11:38:23 +0000 (12:38 +0100)]
DHCP-Client-FQDN is not a string
See RFC 4702.
DHCP-Client-FQDN (DHCP option 81) is actually a record composed of:
- first octet: "Flags"
- second octet: "RCODE1"
- third octet: "RCODE2"
- and then "Domain Name" (which is a string)
But I don't think that FreeRADIUS dictionaries support encoding /
decoding such a format, so octets is the best option we have.