Sam Hartman [Wed, 23 Jul 2014 18:59:22 +0000 (14:59 -0400)]
Include sample module for the ABFAb trust router keys database
Sam Hartman [Wed, 23 Jul 2014 18:26:55 +0000 (14:26 -0400)]
Fixups from what we're actulaly submitting to FreeRADIUS
Back merge our to_be_reviewed branch.
Sam Hartman [Wed, 23 Jul 2014 17:43:38 +0000 (13:43 -0400)]
Update to ukerna (JANET/moonshot) dictionary
Sam Hartman [Wed, 23 Jul 2014 17:34:56 +0000 (13:34 -0400)]
Avoid use of moonshot in attribute names
Sam Hartman [Tue, 22 Jul 2014 20:41:19 +0000 (16:41 -0400)]
Fixes for abfab-idp policy
Sam Hartman [Tue, 22 Jul 2014 19:24:47 +0000 (15:24 -0400)]
abfab virtual server
Kevin Wasserman [Tue, 22 Jul 2014 20:19:11 +0000 (16:19 -0400)]
set gss-acceptor-realm-name
Kevin Wasserman [Tue, 22 Jul 2014 20:03:53 +0000 (16:03 -0400)]
Add gss-acceptor-realm-name check to abfab-tr
Kevin Wasserman [Tue, 22 Jul 2014 19:54:00 +0000 (15:54 -0400)]
fixup abfab-tr typos
Kevin Wasserman [Tue, 22 Jul 2014 19:22:02 +0000 (15:22 -0400)]
use client config for pre-proxy check and coi setting
Kevin Wasserman [Tue, 22 Jul 2014 19:01:48 +0000 (15:01 -0400)]
Add trustrout psk and pre-proxy policies; move channel bindings guts here also
Sam Hartman [Tue, 22 Jul 2014 15:21:46 +0000 (11:21 -0400)]
clean up another merge hunk
Kevin Wasserman [Tue, 22 Jul 2014 17:43:05 +0000 (13:43 -0400)]
Merge branch 'v3.0.x' into tr-upgrade
Conflicts:
src/main/realms.c
src/modules/rlm_eap/libeap/eap_chbind.c
Kevin Wasserman [Tue, 22 Jul 2014 17:30:38 +0000 (13:30 -0400)]
Merge branch 'v3.0.x' into tr-upgrade
Arran Cudbard-Bell [Tue, 22 Jul 2014 17:23:22 +0000 (13:23 -0400)]
Merge pull request #742 from qnet-herwin/rlm_perl_v3.0.x
Fix error in attribute copying to rlm_perl
Herwin Weststrate [Tue, 22 Jul 2014 15:56:57 +0000 (17:56 +0200)]
Fix error in attribute copying to rlm_perl
Introduced in commit
c225c615760d4c907640ebd249f860d5ab3258dd. It copied the RAD_REPLY hash twice, which had the side effects that some keys dropped out.
Sam Hartman [Tue, 22 Jul 2014 01:42:01 +0000 (21:42 -0400)]
parent can be null.
Sam Hartman [Mon, 21 Jul 2014 19:14:03 +0000 (15:14 -0400)]
Updates to trustrouter integration
Do not add home_servers and home_pools to the main trees. This makes dynamic updates and rekeys based on ssl failures much more difficult.
Instead, simply maintain our own auth pool and replace on each tr query.
Reference home servers so they stay around when active in a request or socket.
Sam Hartman [Fri, 18 Jul 2014 16:16:50 +0000 (12:16 -0400)]
Update to trustrouter 1.3 API
Update trust router integration code to the 1.3 API.
Rewrite much of the code to be more modular.
This is an intermediate commit. This version will reuse home_servers
between realms. Discussing this wil Alan, that's not necessary and we
can simplify the code by avoiding that.
Herwin Weststrate [Tue, 15 Jul 2014 10:04:13 +0000 (12:04 +0200)]
Debian: Ensure some directories exist
This prevents some warnings when installing the package.
Arran Cudbard-Bell [Mon, 21 Jul 2014 14:30:18 +0000 (10:30 -0400)]
Other perl formatting
Arran Cudbard-Bell [Mon, 21 Jul 2014 14:25:25 +0000 (10:25 -0400)]
Fix multivalues attributes in rlm_perl. Addresses #731, Addresses #722
root [Mon, 21 Jul 2014 06:42:42 +0000 (06:42 +0000)]
Add the gigawords calculation for MSSQL in accounting stop SQL clause
Herwin Weststrate [Sun, 20 Jul 2014 08:57:21 +0000 (10:57 +0200)]
Added a NULL check to rlm_perl
Otherwise, trying to start rlm_perl with an invalid file parameter would cause a segfault.
Kevin Wasserman [Fri, 18 Jul 2014 19:45:11 +0000 (15:45 -0400)]
Add Moonshot-COI and Moonshot-APC attributes
Kevin Wasserman [Fri, 18 Jul 2014 16:46:41 +0000 (12:46 -0400)]
Retrieve tls psk identity from SSL and add to request vps
Kevin Wasserman [Fri, 18 Jul 2014 14:31:39 +0000 (10:31 -0400)]
Delay tls identity copy until packet decode
Kevin Wasserman [Thu, 17 Jul 2014 21:31:48 +0000 (17:31 -0400)]
One more attempt to copy psk identity into processed request vp list
Kevin Wasserman [Thu, 17 Jul 2014 19:33:45 +0000 (15:33 -0400)]
Grab identity from ssn, if available
Kevin Wasserman [Thu, 17 Jul 2014 12:45:01 +0000 (08:45 -0400)]
fixup typos in attr copy
Arran Cudbard-Bell [Wed, 16 Jul 2014 18:51:30 +0000 (14:51 -0400)]
Merge pull request #732 from nchaigne/v3.0.x
dhcpclient - timeout and decline, release, inform
Arran Cudbard-Bell [Wed, 16 Jul 2014 18:50:27 +0000 (14:50 -0400)]
Merge pull request #734 from spbnick/switch_cnf_to_sha256
Switch .cnf files to sha256 message digest
Arran Cudbard-Bell [Wed, 16 Jul 2014 18:50:08 +0000 (14:50 -0400)]
Merge pull request #736 from spbnick/add_rlm_krb5_doc
Add minimal rlm_krb5 documentation file
Arran Cudbard-Bell [Wed, 16 Jul 2014 18:49:51 +0000 (14:49 -0400)]
Merge pull request #735 from spbnick/add_P_option_to_man_pages
Add description of -P option to man pages
Arran Cudbard-Bell [Wed, 16 Jul 2014 18:49:22 +0000 (14:49 -0400)]
Merge pull request #733 from spbnick/clarify_snmp_trap_conditions
Clarify conditions of limit hit SNMP notifications
Kevin Wasserman [Wed, 16 Jul 2014 18:00:59 +0000 (14:00 -0400)]
Copy tls-psk-identity from sock request when setting up new request
Nikolai Kondrashov [Wed, 16 Jul 2014 16:59:03 +0000 (19:59 +0300)]
Add description of -P option to man pages
Add description of -P option to radtest and radclient man pages.
Nikolai Kondrashov [Wed, 16 Jul 2014 17:04:20 +0000 (20:04 +0300)]
Clarify conditions of limit hit SNMP notifications
Use "hit" instead of "reach" in the descriptions of serverMaxRequest and
serverMaxThreads SNMP notifications to make it clearer that they trigger
upon attempt to exceed the limit, not upon reaching the maximum allowed
value.
Nikolai Kondrashov [Wed, 16 Jul 2014 17:22:40 +0000 (20:22 +0300)]
Switch .cnf files to sha256 message digest
Use sha256 as default_md (message digest) in all .cnf files as it is
more secure than the previous, now considered weak, sha1.
Nikolai Kondrashov [Wed, 16 Jul 2014 17:47:53 +0000 (20:47 +0300)]
Add minimal rlm_krb5 documentation file
Add doc/modules/rlm_krb5 - a minimal rlm_krb5 module documentation file,
based on the wiki page. Update raddb/mods-available/krb5 comments to
point to the actual and proper location.
Nicolas C [Wed, 16 Jul 2014 14:16:59 +0000 (16:16 +0200)]
dhcpclient - timeout and decline, release, inform
Added receive timeout on socket according to -t option (retries are
still not handled).
Added commands for "decline", "release" and "inform" messages.
Updated usage.
Alan T. DeKok [Tue, 15 Jul 2014 12:11:50 +0000 (08:11 -0400)]
More changes
Alan T. DeKok [Tue, 15 Jul 2014 12:06:01 +0000 (08:06 -0400)]
Note recent changes
jvoisin [Mon, 14 Jul 2014 23:34:42 +0000 (19:34 -0400)]
Check BN_rand_range return value
CVE-2014-4733.
In practice, the function should never fail.
jvoisin [Mon, 14 Jul 2014 23:31:02 +0000 (19:31 -0400)]
Constant time memory comparison.
CVE-2014-4731.
Non-constant time comparisons usually require millions of packets
in order to get enough statistics. This is VERY hard to do with
WiFi or wired 802.1X. The delays on switch port open / close
are on the order of seconds.
jvoisin [Mon, 14 Jul 2014 23:29:06 +0000 (19:29 -0400)]
Use *_clear_free instead of *_free.
CVE-2014-4732
Kevin Wasserman [Mon, 14 Jul 2014 18:42:13 +0000 (14:42 -0400)]
Reject on any channel bindings attribute mismatch
Arran Cudbard-Bell [Sat, 12 Jul 2014 19:02:20 +0000 (15:02 -0400)]
Update ChangeLog
Arran Cudbard-Bell [Sat, 12 Jul 2014 17:41:47 +0000 (13:41 -0400)]
Add module type sanity check
Arran Cudbard-Bell [Sat, 12 Jul 2014 14:28:06 +0000 (10:28 -0400)]
Add support for connection pool reuse
Arran Cudbard-Bell [Thu, 10 Jul 2014 20:45:48 +0000 (16:45 -0400)]
Convert another argument to bool
Alan DeKok [Sat, 12 Jul 2014 13:40:30 +0000 (09:40 -0400)]
Merge pull request #730 from nchaigne/v3.0.x
dhcpclient - store xid when encoding request
Nicolas C [Fri, 11 Jul 2014 16:16:46 +0000 (18:16 +0200)]
dhcpclient - store xid when encoding request
Fixes the incorrect debug message "Encoding DHCP-Discover of id
ffffffff".
And this will allow to correlate xid from response (should be done by
the client, but not yet).
Arran Cudbard-Bell [Thu, 10 Jul 2014 16:40:17 +0000 (12:40 -0400)]
Typo
Arran Cudbard-Bell [Thu, 10 Jul 2014 16:35:05 +0000 (12:35 -0400)]
Formatting and documentation
Sam Hartman [Thu, 10 Jul 2014 11:41:09 +0000 (07:41 -0400)]
find_client: min prefix of 0 needs to work
Use signed loop counter to permit 0-1 to be <= min_prefix
Sam Hartman [Thu, 10 Jul 2014 13:42:18 +0000 (09:42 -0400)]
fr_inaddr_mask fix 0 prefix
Don't depend on the behavior of shifting by 32-bits on a 32-bit type.
Sam Hartman [Thu, 10 Jul 2014 14:58:53 +0000 (10:58 -0400)]
tr_integ: set home server response window
Sam Hartman [Thu, 10 Jul 2014 14:13:17 +0000 (10:13 -0400)]
Clean up changes no longer needed.
we had several hunks left over from merges with upstream that are no longer needed.
Clean up the upstream diff.
Sam Hartman [Thu, 10 Jul 2014 13:42:18 +0000 (09:42 -0400)]
fr_inaddr_mask fix 0 prefix
Don't depend on the behavior of shifting by 32-bits on a 32-bit type.
Sam Hartman [Thu, 10 Jul 2014 11:41:09 +0000 (07:41 -0400)]
find_client: min prefix of 0 needs to work
Use signed loop counter to permit 0-1 to be <= min_prefix
Alan T. DeKok [Thu, 10 Jul 2014 03:21:52 +0000 (23:21 -0400)]
Allow User-Name in CUI reply
Alan T. DeKok [Wed, 9 Jul 2014 19:33:24 +0000 (15:33 -0400)]
Use loop index to get description. Closes #729
Alan T. DeKok [Wed, 9 Jul 2014 19:27:37 +0000 (15:27 -0400)]
A parent config section might not exist
when dynamically adding a home server.
Arran Cudbard-Bell [Wed, 9 Jul 2014 16:34:30 +0000 (12:34 -0400)]
Remove useless extern declarations
Arran Cudbard-Bell [Wed, 9 Jul 2014 15:26:34 +0000 (11:26 -0400)]
Cleanup EAP-SIM macros
Arran Cudbard-Bell [Wed, 9 Jul 2014 15:25:26 +0000 (11:25 -0400)]
Debug condition is now a fr_cond_t
Arran Cudbard-Bell [Wed, 9 Jul 2014 15:12:23 +0000 (11:12 -0400)]
Limit which operators can be used with LDAP group comparison
and other minor cleanups
Sam Hartman [Wed, 9 Jul 2014 11:28:07 +0000 (07:28 -0400)]
Allow null parent in add_home_server
When dynamically adding a home server it is likely that no config
section will be available thus no parent section.
Arran Cudbard-Bell [Wed, 9 Jul 2014 00:09:19 +0000 (20:09 -0400)]
Formatting
Arran Cudbard-Bell [Wed, 9 Jul 2014 00:09:00 +0000 (20:09 -0400)]
Fixup Sqlite schema
Stefan Paetow [Tue, 8 Jul 2014 08:45:01 +0000 (09:45 +0100)]
Update cui
Updated comments to clarify the dual purpose of the unlang fragment.
Arran Cudbard-Bell [Tue, 8 Jul 2014 03:23:25 +0000 (23:23 -0400)]
Try and make dlopen library search messages clearer
Alan T. DeKok [Tue, 8 Jul 2014 02:35:12 +0000 (22:35 -0400)]
Remove reply:User-Name only if there's a reply:CUI
Herwin Weststrate [Sun, 6 Jul 2014 10:37:27 +0000 (12:37 +0200)]
Changed integer type for rlm_eap_{ttls,peap} tunnel types to bool where applicable
Herwin Weststrate [Sun, 6 Jul 2014 10:55:03 +0000 (12:55 +0200)]
Use enums instead of define lists in rlm_eap_peap
But only for the values that are only used internally.
Arran Cudbard-Bell [Mon, 7 Jul 2014 18:28:21 +0000 (14:28 -0400)]
Formatting
Alan T. DeKok [Mon, 7 Jul 2014 16:09:28 +0000 (12:09 -0400)]
As posted to the list
Arran Cudbard-Bell [Fri, 4 Jul 2014 15:08:19 +0000 (11:08 -0400)]
Merge pull request #725 from nchaigne/v3.0.x
radeapclient - fix send_packet
Nicolas C [Fri, 4 Jul 2014 15:03:33 +0000 (17:03 +0200)]
radeapclient - fix send_packet
I spotted two errors in radeapclient.c, introduced in the following
previous commits.
With this fix, radeapclient is now useable again.
1)
Commit:
c8a062a112f17a5810d311dc0e0acfe963b2d440
(2014/06/13)
- send_packet(rep, &req);
-
- if (!req) return -1;
+ send_packet(req, &rep);
+ if (!rep) {
Arguments got reversed. Hence segmentation fault later when doing:
for (vp = req->vps; vp != NULL; vp = vpnext) {
Bit of caution on the wording used in radeapclient:
"req" is the request coming FROM the server. (because this is not a
"request" in RADIUS sense, but an EAP-Request within the EAP-SIM
transaction.)
"rep" is the response from the client TO the server (EAP-Response).
2)
Commit:
bc3676835c3dcc220ab518d4c3c35962bc0f8be2
(2014/05/02)
In "send_packet":
+ if (!req || !rep || !*rep) return -1;
*rep == NULL is the expected behaviour...
Philippe Wooding [Fri, 4 Jul 2014 10:33:44 +0000 (12:33 +0200)]
In redhat spec file, update dependency on json-c to version 0.10 as 0.11 only exists for fedora and 0.10 builds ok
Philippe Wooding [Fri, 4 Jul 2014 10:29:29 +0000 (12:29 +0200)]
Update redhat spec file to reflect the fact rlm_host is no longer experimental.
Alan T. DeKok [Wed, 2 Jul 2014 23:59:51 +0000 (19:59 -0400)]
Use correct type for length
Alan T. DeKok [Wed, 2 Jul 2014 23:45:37 +0000 (19:45 -0400)]
No need for casting in talloc_array_length()
Alan T. DeKok [Wed, 2 Jul 2014 23:43:51 +0000 (19:43 -0400)]
rad_vp2attr() returns -1 on error, 0 on "not enough room"
Kevin Wasserman [Wed, 2 Jul 2014 11:56:39 +0000 (07:56 -0400)]
Channel bindings fixes
-fix size calculation
-skip unwanted attrs when copying
-add safety check to copy code in case size is wrong
-add cast to get correct result from talloc_array_length()
Kevin Wasserman [Mon, 30 Jun 2014 15:41:32 +0000 (11:41 -0400)]
Don't call free on talloc'ed channel bindings packet
Kevin Wasserman [Sat, 28 Jun 2014 09:22:25 +0000 (05:22 -0400)]
Fix cursor initialization bugs in eap_chbind_vp2packet
Herwin Weststrate [Wed, 2 Jul 2014 17:21:01 +0000 (19:21 +0200)]
Fixed adding attributes with multiple values to rlm_perl
Without this fix, the array in Perl would start with the value of the
first attribute in the packet, combined with the actual values of the
attribute.
The debug log would look like this:
$RAD_REPLY{'User-Name'}[0] = &reply:User-Name -> 'anonymous'
$RAD_REPLY{'h323-credit-amount'}[1] = &reply:h323-credit-amount -> '100'
$RAD_REPLY{'h323-credit-amount'}[2] = &reply:h323-credit-amount -> '101'
The actual value of $RAD_REPLY{'h323-credit-amount'} is
['anonymous','100','101']
Kevin Wasserman [Wed, 2 Jul 2014 11:56:39 +0000 (07:56 -0400)]
Channel bindings fixes
-fix size calculation
-skip unwanted attrs when copying
-add safety check to copy code in case size is wrong
-add cast to get correct result from talloc_array_length()
Arran Cudbard-Bell [Tue, 1 Jul 2014 17:48:25 +0000 (13:48 -0400)]
Merge pull request #719 from nchaigne/v3.0.x
3.0.x - Make EAP-SIM work again - proper encoding of EAP-SIM attributes ...
Nicolas C [Tue, 1 Jul 2014 15:03:03 +0000 (17:03 +0200)]
3.0.x - Make EAP-SIM work again - proper encoding of EAP-SIM attributes within EAP-Message
This fix follows the issue I logged (on the mailing list, not on GitHub)
on June 11th.
As a reminder, the problem happened after a commit which (among other
things) modified the EAP-SIM attributes.
Since this commit, EAP-SIM authentication do not work because
EAP-Message is not properly encoded anymore by FreeRADIUS.
I believe the commit is the following:
https://github.com/FreeRADIUS/freeradius-server/commit/
39df09e42d80a96363be0bddee2ff0ba97fdb035
So, here is a fix.
I also fixed the attributes issue in radeapclient, but at the moment the
binary is unusable: it crashes, and I don't have time to look into this.
(I tested the fix with another EAP client)
Arran Cudbard-Bell [Tue, 1 Jul 2014 13:58:31 +0000 (09:58 -0400)]
Inline breaks linking?
Arran Cudbard-Bell [Tue, 1 Jul 2014 13:44:50 +0000 (09:44 -0400)]
Fix capitalisation in UKERNA dictionary Fixes #718
Arran Cudbard-Bell [Tue, 1 Jul 2014 13:11:21 +0000 (09:11 -0400)]
Other things still reference dict_attr_allowed_chars
Herwin Weststrate [Mon, 30 Jun 2014 10:46:24 +0000 (12:46 +0200)]
Fixed reference to config file
Herwin Weststrate [Thu, 26 Jun 2014 12:04:55 +0000 (14:04 +0200)]
Readability fixes in mods-available/perl
Alignment is now stable with any tab width.
Herwin Weststrate [Tue, 17 Jun 2014 16:00:46 +0000 (18:00 +0200)]
Fixed typo in rlm_sql.c
s/afftected/affected/
Herwin Weststrate [Mon, 16 Jun 2014 15:05:58 +0000 (17:05 +0200)]
Fixed some tabs/spaces in default virtual server
Arran Cudbard-Bell [Mon, 30 Jun 2014 18:25:40 +0000 (19:25 +0100)]
Use RFC language in eap.c messages