aland [Fri, 11 Nov 2005 01:44:42 +0000 (01:44 +0000)]
As found on the net
aland [Fri, 11 Nov 2005 00:32:48 +0000 (00:32 +0000)]
Include files used to build the server are now <freeradius-devel/*.h>
If this is bad, we can easily change it in the future to something
like <freeradius/*.h>.
Also, updated rlm_sqlippool to build with the recent cleanups.
The work was done via a Perl script, and the server rebuilt &
tested to be sure it works.
fcusack [Tue, 8 Nov 2005 11:00:34 +0000 (11:00 +0000)]
s/otp_get_challenge/otp_async_challenge/ to avoid confusion with
sync challenge
fcusack [Tue, 8 Nov 2005 10:56:49 +0000 (10:56 +0000)]
combine another FR and PAM debug option (missed earlier)
fcusack [Tue, 8 Nov 2005 10:51:43 +0000 (10:51 +0000)]
fix logging:
- add __func__ to otp_log(), where missing
- don't prepend MODULE_NAME in otp_log(), instead make it part of
log_prefix (as appropriate)
fcusack [Tue, 8 Nov 2005 10:43:20 +0000 (10:43 +0000)]
fix signed/unsigned comparison
fcusack [Tue, 8 Nov 2005 09:06:45 +0000 (09:06 +0000)]
combine FR and PAM debug options
fcusack [Tue, 8 Nov 2005 08:56:21 +0000 (08:56 +0000)]
Change user_state 'challenge' field from string to uchar, which
makes more sense for crypto and other manipulation. Unfortunately,
it is a huge change for such a small gain (basically avoiding
sprintf() and sscanf() conversions.)
Notable changes:
- otp.h: add 'clen' field to user_state; update it wherever the
'challenge' field is set
- otp_cardops.h: add printchallenge() method, OTP_CF_C8 and OTP_CF_C4
Card Feature macros
- cardops keystring2keyblock() method and otp_keystring2keyblock()
now return keylen (instead of 0) on success
- otp_keyblock2keystring() now takes a length arg and returns char *
for easy printing
- remove [unused] 'card_info' and 'log_prefix' args to cardops
updatecsd() method
- otp_gen_challenge() noted as cryptocard-specific with quirky behavior
- otp_challenge_transform() explicitly returns new challenge length
- cryptocard.c:cryptocard_challenge(): Remove hardcoded challenge
length of 8. Yes, *sync* challenge length must be 8 but challenge
might be a different size due to resync with an async challenge.
This worked before but became a bug when we changed the user_state
'challenge' field to be the previous (instead of the next) challenge.
fcusack [Tue, 8 Nov 2005 04:02:20 +0000 (04:02 +0000)]
add sratch3 back to user_state, to hold csd offset
aland [Mon, 7 Nov 2005 19:46:30 +0000 (19:46 +0000)]
On deleting the request list, kill any live threads that are
processing the request, and mark the request has having no
child pid.
We should fix up the thread pool, too, to catch the case of
"disappeared" child threads
fcusack [Mon, 7 Nov 2005 09:28:33 +0000 (09:28 +0000)]
s/user_info/card_info/
fcusack [Mon, 7 Nov 2005 06:19:05 +0000 (06:19 +0000)]
remove extra scratch field from user_state
fcusack [Mon, 7 Nov 2005 03:46:07 +0000 (03:46 +0000)]
- otp.h: add scratch data fields to otp_user_state_t, for tmp use
by cardops methods
- change 'user_state' arg to cardops challenge() method to non-const,
so that state can be updated with scratch data for later methods
- remove [unused] 'challenge' arg to cardops updatecsd() method, and
reorder 'when' arg to be consistent with challenge() method
- remove 'twin' arg to cardops isconsecutive() method; time data now
stored as scratch data (twin data is meaningless, it must be
converted to a time counter which is already done in challenge(),
so don't do it again)
fcusack [Sat, 5 Nov 2005 08:43:37 +0000 (08:43 +0000)]
remove csd arg to cardops response() method
fcusack [Sat, 5 Nov 2005 02:11:03 +0000 (02:11 +0000)]
remove cardops isearly() method, instead the challenge() method now
returns multiple error codes, eliminating some duplicate code and
saving a function call
fcusack [Sat, 5 Nov 2005 01:07:13 +0000 (01:07 +0000)]
remove 'now' arg from cardops maxtwin() method
fcusack [Sat, 5 Nov 2005 00:52:40 +0000 (00:52 +0000)]
Description:
update cardops challenge() method: change order of 'challenge' and
'when' args, change 'twin' and 'ewin' args to type int
aland [Fri, 4 Nov 2005 19:30:40 +0000 (19:30 +0000)]
Use closefrom
aland [Fri, 4 Nov 2005 19:29:54 +0000 (19:29 +0000)]
Spelling.
aland [Fri, 4 Nov 2005 19:28:52 +0000 (19:28 +0000)]
Allow tabs
aland [Fri, 4 Nov 2005 19:21:23 +0000 (19:21 +0000)]
Catch NULL ptr
aland [Fri, 4 Nov 2005 19:01:14 +0000 (19:01 +0000)]
On HUP, move proxy sockets, too
cparker [Fri, 4 Nov 2005 18:42:40 +0000 (18:42 +0000)]
Updated check program for 'sockaddr_storage' to include <sys/socket.h>
and detect it's existance on Solaris 8 systems ( and presumably other
Solaris variants ).
fcusack [Fri, 4 Nov 2005 07:28:58 +0000 (07:28 +0000)]
- Remove duplicate work in cardops twin2cardtime() method by removing
the method altogether. Now we call challenge() before isearly(),
and pass the challenge in, instead of cardtime.
- mincardtime is now saved in the updatecsd() method instead of in
otp_cardops.c
- remove minewin state field (still version 5)
fcusack [Fri, 4 Nov 2005 05:00:35 +0000 (05:00 +0000)]
change state fields failcount and minewin from int to uint32,
for portability (really this time)
fcusack [Fri, 4 Nov 2005 04:54:52 +0000 (04:54 +0000)]
- change state field minauthtime to mincardtime
- change state fields failcount and minewin from int to uint32
aland [Fri, 4 Nov 2005 00:40:48 +0000 (00:40 +0000)]
More cleanups & leak fixes
aland [Thu, 3 Nov 2005 23:51:50 +0000 (23:51 +0000)]
Abstract code some more.
Actually free stuff on errors
fcusack [Thu, 3 Nov 2005 00:54:15 +0000 (00:54 +0000)]
- add back time restriction to rwindow override, mistakenly removed
in previous change
- add logging when a window position is skipped for being too early
fcusack [Thu, 3 Nov 2005 00:13:10 +0000 (00:13 +0000)]
Make isconsecutive() a cardops method instead of trying to account
for all cases in otp_cardops.c:
- remove nexttwin() method
- save rwindow data as card-specific 'rd' field, instead of generic
authewin and authtwin fields
- updatecsd() method now has to update rd as well
- bump state to version 5
fcusack [Wed, 2 Nov 2005 22:41:15 +0000 (22:41 +0000)]
cardops updatecsd() method twin arg is int, not unsigned
fcusack [Wed, 2 Nov 2005 22:19:32 +0000 (22:19 +0000)]
- change csd and challenge args to cardops response() method to
char[] instead of char*, to document expected array length
- change csd arg to cardops response() method to const
- remove now superfluous (since cl 421) local copy of user_state.csd
aland [Wed, 2 Nov 2005 18:46:24 +0000 (18:46 +0000)]
Removed duplicate function. Patch from Phillipe Sultan
fcusack [Wed, 2 Nov 2005 07:24:21 +0000 (07:24 +0000)]
isearly() should take int, not unsigned, for ewin arg
fcusack [Wed, 2 Nov 2005 06:54:41 +0000 (06:54 +0000)]
simplify "too early" logic by adding a cardops method isearly(),
rather than trying to account for the different cases in otp_cardops.c
fcusack [Wed, 2 Nov 2005 06:48:42 +0000 (06:48 +0000)]
update csd comment: prev, not next, sync challenge, due to state v4
aland [Tue, 1 Nov 2005 23:15:25 +0000 (23:15 +0000)]
Added hex printing of the packets if command-line options are -xxx
aland [Tue, 1 Nov 2005 22:44:31 +0000 (22:44 +0000)]
Catch case where the user hasn't updated the dictionaries with
the new format strings, and force them to be the default values
nbk [Tue, 1 Nov 2005 19:14:38 +0000 (19:14 +0000)]
Pass option "--config-cache" to configure, it's *a lot* faster.
nbk [Tue, 1 Nov 2005 19:11:08 +0000 (19:11 +0000)]
Regenerate from configure.in 1.222
nbk [Tue, 1 Nov 2005 19:04:49 +0000 (19:04 +0000)]
Ugly hack to make "./configure --config-cache" work.
fcusack [Tue, 1 Nov 2005 07:55:29 +0000 (07:55 +0000)]
change order of twin and ewin params to cardops challenge() method,
to be consistent with inner and outer loop vars and logging order
aland [Tue, 1 Nov 2005 01:50:42 +0000 (01:50 +0000)]
Add "format=" option to VENDOR statements in the dictionaries.
This lets us support any vendor with wonky formats, rather than
hard-coding vendor names into the source.
It also allows us to support read multiple Lucent & Starent
attributes in one Vendor-Specific, which is nice.
The code is a *lot* larger than before, but I hope it's clearer,
and it does support a lot more weird situations than before.
aland [Tue, 1 Nov 2005 01:07:27 +0000 (01:07 +0000)]
Set more lengths on paircreate()
Allow values for pairmake() to be 253*2 characters long, for hex
data.
aland [Mon, 31 Oct 2005 16:47:19 +0000 (16:47 +0000)]
Removed bogus code
nbk [Mon, 31 Oct 2005 16:15:47 +0000 (16:15 +0000)]
Always use a "switch" statement after calling the modules, so it's
easier to figure out what's going on with the many return codes.
fcusack [Mon, 31 Oct 2005 08:29:43 +0000 (08:29 +0000)]
isconsecutive(): test for persistent softfail to avoid broken math
fcusack [Mon, 31 Oct 2005 07:44:57 +0000 (07:44 +0000)]
persistent softfail (forced by nullstate) fixes
nbk [Sun, 30 Oct 2005 16:51:21 +0000 (16:51 +0000)]
Don't leak memory in rad_authenticate() when we receive an
Access-Challenge from the home server. Also re-arrange the
code which check the proxy reply, and update the comments.
nbk [Sat, 29 Oct 2005 20:11:53 +0000 (20:11 +0000)]
Print a debug message with the name of the stanza which is used
to run the modules.
fcusack [Sat, 29 Oct 2005 05:46:27 +0000 (05:46 +0000)]
right shift OTP_CF_FRW and OTP_CF_TW mask bits to get value
fcusack [Sat, 29 Oct 2005 04:49:37 +0000 (04:49 +0000)]
don't redefine _GNU_SOURCE if already defined
aland [Fri, 28 Oct 2005 21:06:56 +0000 (21:06 +0000)]
Move table of PID's to wait for into a hash table, which makes it
easier to manage.
aland [Fri, 28 Oct 2005 21:03:13 +0000 (21:03 +0000)]
Correct typo in closefrom
nbk [Thu, 27 Oct 2005 15:07:10 +0000 (15:07 +0000)]
Don't fclose() a file stream more than once.
Bug found by Svein Hansen <svein.hansen@hive.no>
fcusack [Wed, 26 Oct 2005 23:08:34 +0000 (23:08 +0000)]
add trid-beta-2 support
aland [Wed, 26 Oct 2005 06:01:43 +0000 (06:01 +0000)]
Suppress sending attributes of zero length.
Bug #273
aland [Wed, 26 Oct 2005 01:10:00 +0000 (01:10 +0000)]
Correct length bug in make_tunnel_passwd
use "data" ptr, not "vp->vp_octets" in rad_vp2attr(), during
encryption.
update rad_attr2vp() to handle encrypted IP's and integers.
(and anything else, for that matter).
Update rad_decode() to handle Starent attributes.
This code is a lot cleaner than what was there before...
aland [Tue, 25 Oct 2005 20:17:42 +0000 (20:17 +0000)]
Now that we have rad_vp2attr, and it's clean, adding support for
Starent VSA's is trivial.
We still have to make rad_attr2vp() support Starent VSA's, and
the Juniper encrypted integers & IP's
aland [Tue, 25 Oct 2005 18:24:45 +0000 (18:24 +0000)]
New attributes, from bug #284.
As a result of recent updates to src/lib/radius.c, we now get
"tunnel password" encrypted IP addresses and integers for free.
aland [Tue, 25 Oct 2005 18:10:39 +0000 (18:10 +0000)]
rad_vp2attr now takes "const VALUE_PAIR *", so it isn't modified.
Moved make_secret() to just before rad_vp2attr.
Added new make_passwd (User-Password) and make_tunnel_passwd
(Tunnel-Password) that take input & output ptrs, so they don't
modify a VALUE_PAIR*. The resulting code also looks a lot cleaner,
and makes more sense.
Fixed rad_attr2vp() to ALWAYS return the attribute, even if it's
format is wrong (i.e. can't decrypt it, etc). In those cases,
the attribute name is left alone, but the flags are all set to
zero (no tag or encryption stuff), AND the data from the packet
is copied verbatim into vp->vp_octets.
This makes the server a little more forgiving of bad requests.
fcusack [Tue, 25 Oct 2005 05:29:29 +0000 (05:29 +0000)]
run all known cardops constructors if they didn't run
(workaround for Cyclades ACS runtime linker deficiency)
fcusack [Tue, 25 Oct 2005 01:26:47 +0000 (01:26 +0000)]
Update minauthtime handling for event-only cards to fix a bug in
the sync_response loop where authtime always equals minauthtime,
and so the 0th event (or, all events earlier than minewin, usu. 0)
is not considered.
otp_cardops.c:otp_pw_valid(): always set minauthtime to 0
cryptocard.c:cryptocard_twin2authtime(): return current time, not 0
aland [Mon, 24 Oct 2005 19:54:51 +0000 (19:54 +0000)]
Clean up rad_vp2attr. This version is a LOT more readable than
the previous code.
nbk [Sun, 23 Oct 2005 17:43:29 +0000 (17:43 +0000)]
Check the return value of accounting modules and don't proxy
invalid requests. Now the actions are:
Return value Proxy Drop
--------------------------------------
RLM_MODULE_REJECT X
RLM_MODULE_FAIL X
RLM_MODULE_OK X
RLM_MODULE_HANDLED X
RLM_MODULE_INVALID X
RLM_MODULE_USERLOCK X
RLM_MODULE_NOTFOUND X
RLM_MODULE_NOOP X
RLM_MODULE_UPDATED X
aland [Sat, 22 Oct 2005 00:10:03 +0000 (00:10 +0000)]
More code cleanups
aland [Fri, 21 Oct 2005 21:33:07 +0000 (21:33 +0000)]
Moved code from rad_encode() to rad_vp2attr(), to modularize the
code a little more, and make it easier to re-use elsewhere
aland [Fri, 21 Oct 2005 21:07:34 +0000 (21:07 +0000)]
H(A1) == MD5-Password.
Based on a patch from Philippe Sultan, bug #287
aland [Fri, 21 Oct 2005 20:37:54 +0000 (20:37 +0000)]
Corrected typo, as noted in bug #287
aland [Fri, 21 Oct 2005 18:30:33 +0000 (18:30 +0000)]
Ensure we stop...
aland [Fri, 21 Oct 2005 18:29:07 +0000 (18:29 +0000)]
Stop earlier if something went wrong
aland [Fri, 21 Oct 2005 18:18:14 +0000 (18:18 +0000)]
Substantially re-written, to have a common function for handling
the filtering.
This enables us to easily add filtering for authorize & postauth.
We MAY want to have separate filter files for each stage...
Use new paircmp() routine in src/lib/valuepair.c, which looks to
do the same thing as the previous code.
aland [Wed, 19 Oct 2005 18:16:16 +0000 (18:16 +0000)]
New paircmp() function, which compares two pairs, and nothing
else.
fcusack [Wed, 19 Oct 2005 15:50:47 +0000 (15:50 +0000)]
big update
aland [Tue, 18 Oct 2005 23:52:49 +0000 (23:52 +0000)]
Allow comparisons on IPv6 stuff, too
aland [Tue, 18 Oct 2005 22:31:25 +0000 (22:31 +0000)]
Renamed paircmp to paircompare, as we should probably have a
low-level comparison function, in the lib directory
aland [Tue, 18 Oct 2005 19:05:40 +0000 (19:05 +0000)]
Patches from Joe Maimon to fix some edge conditions
mgriego [Mon, 17 Oct 2005 19:09:42 +0000 (19:09 +0000)]
Be a little more forgiving about the number of domain components in a
User-Name in the form of host/f.q.d.n.
aland [Mon, 17 Oct 2005 19:04:07 +0000 (19:04 +0000)]
Catch even more corner cases.
This code is *bad*
aland [Mon, 17 Oct 2005 18:37:27 +0000 (18:37 +0000)]
Queue the request, THEN look for more threads
aland [Mon, 17 Oct 2005 18:00:35 +0000 (18:00 +0000)]
Catch the time when we're supposed to send delayed rejects.
This appears to prevent the loop of "Waiting for 0 seconds"
aland [Mon, 17 Oct 2005 17:25:15 +0000 (17:25 +0000)]
When stealing the fd, steal the rl, too
aland [Mon, 17 Oct 2005 17:19:29 +0000 (17:19 +0000)]
Increment head *after* deleting it from the queue
mgriego [Mon, 17 Oct 2005 02:20:42 +0000 (02:20 +0000)]
Allow mschap_xlat to return the correctly formatted username when given
a User-Name in the format of host/fully.qualified.name. A Windows domain
expects a machine name in the format of shortname$, ie the SAM version of
the account name. mschap_xlat will also pull the first domain component
following the hostname a host/ formatted username and return that as the
NT-Domain xlat. With these changes, the ntlm_auth command can be assured
to always have the correct formatting of the username for either user
authentication and machine authentication by simply passing the xlats of
%{mschap:User-Name} and %{mschap:NT-Domain}
mgriego [Sat, 15 Oct 2005 23:52:36 +0000 (23:52 +0000)]
Added htonl wrapper around mask when ANDing in client_sane. This was
some hard to track down issues. The same may need to be done for the
IPv6 code in that function.
aland [Wed, 12 Oct 2005 21:23:22 +0000 (21:23 +0000)]
Type fixes
aland [Mon, 10 Oct 2005 19:11:22 +0000 (19:11 +0000)]
Moved code out of rad_decode() into rad_attr2vp, so we don't have
huge functions, and so that others can call rad_attr2vp
bjordanov [Sun, 9 Oct 2005 10:30:19 +0000 (10:30 +0000)]
Changed size of start pool to fit one on experimental.conf
nbk [Sat, 8 Oct 2005 11:09:30 +0000 (11:09 +0000)]
Don't free the check items in proxy_receive(): simultaneous
use, ip pool and post-auth type variables are still needed.
aland [Fri, 7 Oct 2005 23:54:53 +0000 (23:54 +0000)]
Foundational work for building C++ modules.
The header files need to be fixed, however.
aland [Fri, 7 Oct 2005 23:51:11 +0000 (23:51 +0000)]
Added EAP-PSK from:
http://perso.rd.francetelecom.fr/bersani/EAP_PSK/EAP-PSKWindowsimplementations.html
It's GPL licensed.
Changes from that library:
- removed HORRID #include ....../rlm_ldap/rlm_ldap.c
WTF?
- minor updates for vp_strvalue
- move Makefile to Makefile.in, because without other changes
to the server to make headers build with C++, this won't
build.
Untested... use at your own risk!
aland [Fri, 7 Oct 2005 21:37:49 +0000 (21:37 +0000)]
Don't set things twice
fcusack [Fri, 7 Oct 2005 06:11:00 +0000 (06:11 +0000)]
fix unsigned vs signed comparison
pnixon [Thu, 6 Oct 2005 17:44:23 +0000 (17:44 +0000)]
spelling fix
pnixon [Thu, 6 Oct 2005 17:36:50 +0000 (17:36 +0000)]
spelling fixes
aland [Thu, 6 Oct 2005 17:31:56 +0000 (17:31 +0000)]
Handle regex comparisons. Patch from Joe Maimon
pnixon [Thu, 6 Oct 2005 16:24:33 +0000 (16:24 +0000)]
spelling fixes
fcusack [Wed, 5 Oct 2005 22:40:33 +0000 (22:40 +0000)]
add maxtwin() cardops method to allow dynamic twin setting
fcusack [Wed, 5 Oct 2005 22:16:50 +0000 (22:16 +0000)]
pass 'when' and 'twin' to updatecsd(), so that time sync cards
can calculate drift
nbk [Wed, 5 Oct 2005 10:17:50 +0000 (10:17 +0000)]
Delete #include "autoconf.h" from other header files. It's
annoying for the people who want to use the libradius in an
external program.