aland [Sat, 10 Jan 2004 15:50:40 +0000 (15:50 +0000)]
For Mikrotik routers
aland [Fri, 9 Jan 2004 21:05:24 +0000 (21:05 +0000)]
Added dictionary for 3gpp2
aland [Thu, 8 Jan 2004 17:03:54 +0000 (17:03 +0000)]
If there are no OpenSSL libraries, don't include them.
aland [Wed, 7 Jan 2004 20:38:51 +0000 (20:38 +0000)]
Look for openssl/rand.h, too.
aland [Wed, 7 Jan 2004 20:38:16 +0000 (20:38 +0000)]
Hoist OpenSSL checks from a number of different places into
the top-level configuration file. This now exports OPENSSL_INCLUDES
and OPENSSL_LIBS *only* if it decides that it likes what it finds.
This also adds Michael Griego's patch to check for OpenSSL version
greater than or equal to 0.9.7.
The various EAP types now have stupidly simply configuration scripts,
which just look for OPENSSL_INCLUDES and OPENSSL_LIBS, rather than
re-doing all of the header/lib checking themselves.
We've got to apply the same patch to LDAP & X99_Token, but they
still work..
aland [Wed, 7 Jan 2004 18:13:53 +0000 (18:13 +0000)]
A little cleaner check for identity & username.
Patch from Michael Griego.
Hmm... the new code looks fairly duplicate. We could factor
it into a function for less code...
aland [Wed, 7 Jan 2004 17:55:12 +0000 (17:55 +0000)]
Updated the debugging message to make a little more sense.
aland [Wed, 7 Jan 2004 17:07:41 +0000 (17:07 +0000)]
Add script which sets LD_LIBRARY_PATH, etc, so that OpenSSL
weirdness can be taken care of.
It should also work for MySQL...
aland [Wed, 7 Jan 2004 15:55:26 +0000 (15:55 +0000)]
When finding MS-CHAP attributes, do "Auth-Type = MSCHAP", rather
than ":=". This means it won't over-ride any previous setting
of auth-type "accept" or "reject"
aland [Mon, 5 Jan 2004 17:06:35 +0000 (17:06 +0000)]
Clean up the examples
aland [Mon, 5 Jan 2004 17:06:16 +0000 (17:06 +0000)]
More description of the dictionaries & how they work.
aland [Mon, 5 Jan 2004 17:05:46 +0000 (17:05 +0000)]
Minor updates to the text.
Don't talk about disabling it. We don't want the users to do that.
aland [Mon, 5 Jan 2004 17:05:09 +0000 (17:05 +0000)]
When we have a stop record, don't compare it to unused entries.
This means that if we get two duplicate stops, the second one will
cause the server to complain. Previously, the server *may* have
complained, but not necessarily...
aland [Mon, 5 Jan 2004 17:03:54 +0000 (17:03 +0000)]
Use NAS-Port, not NAS-Port-Id in acct_unique.
The module should really be fixed to use xlat's...
aland [Mon, 5 Jan 2004 17:03:18 +0000 (17:03 +0000)]
Removed text saying there is a restriction on the number of
load-balancing realms
aland [Mon, 5 Jan 2004 17:02:31 +0000 (17:02 +0000)]
Removed restriction that there be no more than 32 load-balancing
realms, by implementing a new algorithm, which walks the list once,
and picks 1 of N. (See the Camel Book)
aland [Mon, 5 Jan 2004 17:01:19 +0000 (17:01 +0000)]
Updated "readvp2" (only used by radclient) to be a little more
tolerant of its input, and to NOT leak memory if there was an
error reading the VP's
aland [Mon, 5 Jan 2004 16:59:52 +0000 (16:59 +0000)]
Add UDPFROMTO stuff.
Print source port when signature is invalid
aland [Mon, 5 Jan 2004 16:58:32 +0000 (16:58 +0000)]
Now that we handle things a little better, don't do such strict
checking for # of entries returned
aland [Mon, 5 Jan 2004 16:57:50 +0000 (16:57 +0000)]
Include PEAP & MSCHAPv2 EAP sub-types, too.
aland [Mon, 5 Jan 2004 16:57:00 +0000 (16:57 +0000)]
Updates from RFC 2822 and RFC 3576
cparker [Fri, 2 Jan 2004 23:45:18 +0000 (23:45 +0000)]
Added 'accounting' and 'pre-proxy' method calls.
aland [Fri, 2 Jan 2004 19:28:16 +0000 (19:28 +0000)]
Build it only if WITH_UDPFROMTO is defined
mcr [Mon, 29 Dec 2003 01:21:08 +0000 (01:21 +0000)]
added test-SIM case.
mcr [Mon, 29 Dec 2003 01:13:43 +0000 (01:13 +0000)]
if the un-marshalling fails, then fail the packet.
aland [Tue, 23 Dec 2003 20:16:14 +0000 (20:16 +0000)]
As posted to the list by Keith Yoder
kkalev [Mon, 22 Dec 2003 15:18:51 +0000 (15:18 +0000)]
Small fix in user_finger.php3
kkalev [Mon, 22 Dec 2003 12:32:12 +0000 (12:32 +0000)]
Misplaced arguments in strncpy
aland [Fri, 19 Dec 2003 20:19:23 +0000 (20:19 +0000)]
Patch from Tiago Pierezan Camargo
Be a little more forgiving about string attributes in Cisco
AV-Pair's.
aland [Fri, 19 Dec 2003 19:53:03 +0000 (19:53 +0000)]
Potential patch
aland [Fri, 19 Dec 2003 19:49:44 +0000 (19:49 +0000)]
Allow integer timestamps, too.
Patch from James Nedila
aland [Fri, 19 Dec 2003 19:46:47 +0000 (19:46 +0000)]
Removed last vestiges of NAS-Port-Id meaning the integer attribute
aland [Fri, 19 Dec 2003 19:25:32 +0000 (19:25 +0000)]
Patch to change ctime_r to CTIME_R, which is now a macro, which
works properly on different platforms. (Hello, Solaris... who
needs to follow Posix?)
Patch from Oliver Graf
aland [Fri, 19 Dec 2003 19:03:56 +0000 (19:03 +0000)]
Minor cleanups
aland [Thu, 18 Dec 2003 16:04:54 +0000 (16:04 +0000)]
Added SQL to a number of sections, commented-out
mcr [Tue, 16 Dec 2003 03:50:34 +0000 (03:50 +0000)]
small amount of documentation on using EAP-SIM authentication.
mcr [Tue, 16 Dec 2003 02:33:05 +0000 (02:33 +0000)]
what to put into /etc/raddb/users for eapsim-XX tests.
mcr [Tue, 16 Dec 2003 02:32:42 +0000 (02:32 +0000)]
test cases for EAP-SIM.
aland [Mon, 15 Dec 2003 20:27:35 +0000 (20:27 +0000)]
Set src IP & port for reply, based on the dst IP & port
that the request came from.
aland [Mon, 15 Dec 2003 20:23:57 +0000 (20:23 +0000)]
Include udpfromto.c
aland [Mon, 15 Dec 2003 20:22:08 +0000 (20:22 +0000)]
Part 2.
Include header & C implementation, from Jan Berkel and
Miquel van Smoorenburg
aland [Mon, 15 Dec 2003 20:18:20 +0000 (20:18 +0000)]
Part 1 of patch from Jan Berkel, based on Miquel's patch.
./configure --with-udpfromto=yes
now sets options saying to use 'recvmsg' and 'sendmsg' for sending
RADIUS packets, which allows the destination address to be
discovered during receive, and to be set during send.
This should solve a number of the IP Alias problems that people
have had.
kkalev [Mon, 15 Dec 2003 16:55:28 +0000 (16:55 +0000)]
* Huge PostgreSQL compatibility patch by Guy Fraser <guy@incentre.net>
* Also support the Crypt-Password attribute in lib/sql/password_check.php3. Patch by Guy Fraser <guy@incentre.net>
kkalev [Sun, 14 Dec 2003 00:18:48 +0000 (00:18 +0000)]
A minor patch to return if pairmake() fails by James Nedila
aland [Fri, 12 Dec 2003 21:49:52 +0000 (21:49 +0000)]
Don't bother waiting for child threads if there are none.
aland [Fri, 12 Dec 2003 14:44:37 +0000 (14:44 +0000)]
Corrected typo.
Note by Robert Fitzsimons
aland [Thu, 11 Dec 2003 22:36:10 +0000 (22:36 +0000)]
Moved request list walking functions from radiusd to request_list
radiusd.c was way too big. It's more managable now.
aland [Wed, 10 Dec 2003 20:54:11 +0000 (20:54 +0000)]
A slightly better way of incrementing SNMP counters, which doesn't
clutter the code so much.
aland [Wed, 10 Dec 2003 20:41:42 +0000 (20:41 +0000)]
Keep more SNMP statistics about packets dropped, sent, etc.
aland [Wed, 10 Dec 2003 20:03:22 +0000 (20:03 +0000)]
Minor re-arrangement
aland [Wed, 10 Dec 2003 19:49:15 +0000 (19:49 +0000)]
When checking new request or proxy reply, don't bother checking
request->child_pid, as it may not be set. However, request->finished
will always be 0 if the request is "active", so we rely on that,
instead.
In proxy_ok() look for request->proxy_reply, to catch duplicate
replies from the home server. It's odd that we didn't do that before.
In the thread code, now check if child_pid is non-empty. If so,
busy-wait for 100 milliseconds, to wait for the other thread to
finish. If so, continue. If not, kill the entire server, as
it's too busy to process requests.
pnixon [Wed, 10 Dec 2003 15:20:39 +0000 (15:20 +0000)]
postauth functionality thanks to Guy Fraser <guy@incentre.net> with modifications by me.
kkalev [Tue, 9 Dec 2003 14:21:18 +0000 (14:21 +0000)]
Use the User-Password attribute instead of Password in user_test.php3
wichert [Tue, 9 Dec 2003 12:35:43 +0000 (12:35 +0000)]
Bugger, date_sub has a slightly different syntax than standard SQL, update call to match
wichert [Tue, 9 Dec 2003 12:30:38 +0000 (12:30 +0000)]
Add copyright to date_sub function
wichert [Tue, 9 Dec 2003 12:29:01 +0000 (12:29 +0000)]
Create DATE_SUB function which is used by the default alt_accounting_stop query
wichert [Tue, 9 Dec 2003 12:27:48 +0000 (12:27 +0000)]
Do not set RadAcctId to empty string, this is not allowed and postgres will pick a number anyway since we use a serial type. Also fix the alt accounting stop query to it is valid SQL instead of a syntax error
kkalev [Mon, 8 Dec 2003 16:35:35 +0000 (16:35 +0000)]
Only call pairfree if we are using pairxlatmove not for pairadd
kkalev [Sun, 7 Dec 2003 16:19:04 +0000 (16:19 +0000)]
Also be able to search in the proxy and proxy_reply structures in rlm_attr_rewrite
aland [Sun, 7 Dec 2003 00:25:42 +0000 (00:25 +0000)]
eap.h support for tunneled callbacks
rlm_eap.c update request->proxy in authenticate
call tunneled callbacks in postproxy
types/rlm_eap_ttls/eap_ttls.h
types/rlm_eap_tls/eap_tls.h
move prototype for eapttls_process
types/rlm_eap_peap/eap_peap.h
include rlm_eap.h
types/rlm_eap_peap/rlm_eap_peap.c
types/rlm_eap_ttls/rlm_eap_ttls.c
handle "updated" return code from tunnel handler
types/rlm_eap_peap/peap.c
types/rlm_eap_ttls/ttls.c
hoist reply processing into it's own routine.
handle proxy replies
aland [Sun, 7 Dec 2003 00:22:07 +0000 (00:22 +0000)]
Cosmetic changes in debugging messages
aland [Sun, 7 Dec 2003 00:16:13 +0000 (00:16 +0000)]
De-coupled the input requests from the thread management.
We now have a queue of input requests, which the new requests
get dropped into. Asynchronously from that, the threads wait
on a thread-global semaphore, and then pick up requests from
the queue.
The queue is protected by a mutex, both for adding & deleting
requests.
The threads in the pool no longer have per-thread semaphores.
Semaphores are required here because the main handler thread
has to be able to signal the semaphore, and have that signal
remembered, even if there are no threads currently waiting on
the semaphore. Further, the main handler has to be able to
signal the semaphore multiple times, when there are multiple
requests waiting, and all of the threads are busy.
If a thread wakes up and there is no request for it to process,
it simply goes back to waiting on the sempahore. This makes
the process a little more fail-safe, in that we can ensure that
requests are never left forever in the queue, by signalling the
semaphores more than required.
aland [Fri, 5 Dec 2003 20:49:03 +0000 (20:49 +0000)]
Re-arranged the rad_check_list & proxy_check_list code to make
a little more sense. The main request handling loop which does
select() is now a little smaller.
We now have a packet_ok() function, to see if the incoming packet
is acceptable.
We now have a request_ok() function, which sees if the request
(as a whole) is acceptable.
The old code mixed up a lot of the packet/request checking into
multiple functions which each did packet/request checking. The
new code is a little more straightforward.
The idea is to fix the race condition in the proxy code (bug #7),
and to apply the pending multi-cpu patches, by adding a queue of
requests we're sitting on, but which haven't yet been given to a
thread.
The new code makes it a little clearer as to what changes have
to be made, and where, in order to add those features.
aland [Fri, 5 Dec 2003 18:45:48 +0000 (18:45 +0000)]
container is a ptr, not a ptr to a ptr
Update casts to be prettier
kkalev [Fri, 5 Dec 2003 17:44:29 +0000 (17:44 +0000)]
Add the code to eaptls_ack_handler which was removed in the previous commit.
Add an entry initialized in tls_info_t which is set to 1 by eaptls_msg.
In eaptls_ack_handler check the info elements only if initialized is not set to zero.
If it is set to zero then just return EAPTLS_REQUEST and wait for more data.
kkalev [Fri, 5 Dec 2003 17:40:13 +0000 (17:40 +0000)]
Replace u_int8_t with uint8_t which is the correct one
aland [Fri, 5 Dec 2003 15:38:14 +0000 (15:38 +0000)]
Call pam_end with proper return value, to let the pam libraries
clean up after themselves..
Patch from max liccardo
aland [Thu, 4 Dec 2003 18:27:33 +0000 (18:27 +0000)]
Never mind. Editing the configuration files is simpler.
aland [Thu, 4 Dec 2003 18:26:28 +0000 (18:26 +0000)]
A few simple configuration changes to make iPass support easier
aland [Thu, 4 Dec 2003 16:55:50 +0000 (16:55 +0000)]
As posted to the list by Walter Perris
aland [Wed, 3 Dec 2003 21:56:19 +0000 (21:56 +0000)]
When a REQUEST is proxied, set the option that it's proxied,
instead of keying off of the existence of request->proxy
aland [Wed, 3 Dec 2003 21:55:24 +0000 (21:55 +0000)]
Add the ability to associate arbitrary data with a REQUEST structure.
This should make a number of things much easier...
aland [Wed, 3 Dec 2003 20:18:40 +0000 (20:18 +0000)]
Remove a trailing space after the '\\'. It MUST be the last
character in the line!
kkalev [Wed, 3 Dec 2003 14:32:42 +0000 (14:32 +0000)]
Add a patch from Jon Miner <miner@doit.wisc.edu> to add the ability to configure
various LDAP TLS options
aland [Tue, 2 Dec 2003 19:57:59 +0000 (19:57 +0000)]
Updates.
aland [Tue, 2 Dec 2003 19:25:04 +0000 (19:25 +0000)]
It's a start
kkalev [Tue, 2 Dec 2003 14:21:43 +0000 (14:21 +0000)]
In eaptls_ack_handler delete all relevant code about checking ssl parameters
We are handling an EAP-TLS ACK packet which by definition does not contain
any data. So there's no possibility of these values existing in the first place.
pnixon [Tue, 2 Dec 2003 14:20:28 +0000 (14:20 +0000)]
Karlnet (makes point-to-multipoint software for Lucent APs, and own APs now).
Its VSAs are used for setting operation mode APs and bandwidth parameters of clients
pnixon [Mon, 1 Dec 2003 16:33:11 +0000 (16:33 +0000)]
Added Navini thanks to "Paul Shields" <pshields@navini.com>
kkalev [Sat, 29 Nov 2003 21:22:18 +0000 (21:22 +0000)]
attr_vp->strvalue can sometimes not exist. Use replace_STR instead
pnixon [Sat, 29 Nov 2003 15:44:33 +0000 (15:44 +0000)]
new accounting_update_query for oracle
aland [Fri, 28 Nov 2003 19:32:52 +0000 (19:32 +0000)]
Re-arrange the proxy code, to group the "massage the packet"
code into one area.
pnixon [Fri, 28 Nov 2003 16:20:15 +0000 (16:20 +0000)]
Update AcctSessionTime also on accounting_update packets
pnixon [Fri, 28 Nov 2003 16:06:54 +0000 (16:06 +0000)]
Update some extra fields on accounting_update packets
pnixon [Fri, 28 Nov 2003 16:02:13 +0000 (16:02 +0000)]
Reformat accounting_update_query
pnixon [Fri, 28 Nov 2003 15:57:05 +0000 (15:57 +0000)]
update the acctinputoctets and acctoutputoctets on accounting_update
aland [Thu, 27 Nov 2003 21:45:41 +0000 (21:45 +0000)]
When creating attributes from strings Attr-%, or Vendor-%d-Attr-%d,
look the parsed attributes up in the dictionary, and use the name
and type from there (after parsing the octets)
This "normalizes" the names and values for the attributes...
aland [Thu, 27 Nov 2003 20:54:53 +0000 (20:54 +0000)]
Parse Attr-%d and Vendor-%d-Attr-%d into VALUE_PAIR's, as the
named attribute isn't in the dictionary.
We should probably fix the function to double-check the dictionary
for the attribute, and use that correct name, if it exists...
This fixes bugzilla #8
aland [Thu, 27 Nov 2003 19:21:15 +0000 (19:21 +0000)]
A little bit of future-proofing, for other vendors who have
4-octet VSA's. The code isn't done yet, but it's a little more
obvious as to what has to be done to support it, and why.
aland [Thu, 27 Nov 2003 16:57:17 +0000 (16:57 +0000)]
Fail authentication if the User-Name attribute changes value
in the middle of the authentication process, or if the User-Name
attribute doesn't match the EAP-Identity
Patch from Michael Griego
aland [Thu, 27 Nov 2003 16:43:38 +0000 (16:43 +0000)]
Handle vendor codes larger than 16 bits.
aland [Thu, 27 Nov 2003 15:43:38 +0000 (15:43 +0000)]
The 'indictors' array should be long-lived, and not allocated on
the stack.
Patch from Michael Wins
aland [Wed, 26 Nov 2003 22:51:02 +0000 (22:51 +0000)]
Use paircreate(), rather than our own malloc(), to create VP's.
This avoids a lot of the problems with respect to doing our own
dictionary lookups...
Removed all references to 'attr->' from rad_decode(). It's no longer
necessary, and was being used without checking if attr was NULL
(which it could be, but not in the code de-referencing it)
Yuck. Smaller, simpler code is better.
aland [Wed, 26 Nov 2003 21:51:36 +0000 (21:51 +0000)]
Patch to better use include/lib directories, and keep track of -lz
aland [Wed, 26 Nov 2003 21:21:12 +0000 (21:21 +0000)]
rad_decode() now checks the VSA the first time it runs into
Vendor-Specific. If it looks like an RFC-compatible VSA, then
it uses that.
If it looks like a USR style VSA, then it uses that.
If it doesn't look like anything intelligent (i.e. certain vendors
who shall remain nameless), then it leaves the attribute as
Vendor-Specific, of type 'octets'.
This makes the server a little more flexible...
aland [Wed, 26 Nov 2003 20:56:40 +0000 (20:56 +0000)]
Moved trailing 'Ascend' on each attribute to BEGIN/END-VENDOR
blocks. This makes the dictionary a little prettier, and also
allows the 'encrypt=3' stuff to work.
aland [Wed, 26 Nov 2003 20:42:51 +0000 (20:42 +0000)]
Added 'encrypt=3' to the dictionaries, to avoid having the code
in radius.c add the flags manually
aland [Wed, 26 Nov 2003 20:34:24 +0000 (20:34 +0000)]
VSA's of length 6 are disallowed.
VSA's with vendor ID of zero are disallowed.
aland [Wed, 26 Nov 2003 20:11:39 +0000 (20:11 +0000)]
Removed code in rad_recv() which tried to verify the correct
format of VSA's. Too many vendors have too many stupid VSA formats
to make this check worth-while.
aland [Wed, 26 Nov 2003 18:51:32 +0000 (18:51 +0000)]
Unlock the list AFTER we've finished mucking with it, not before.
Patch from Michael Griego