aland [Sun, 7 Dec 2003 00:25:42 +0000 (00:25 +0000)]
eap.h support for tunneled callbacks
rlm_eap.c update request->proxy in authenticate
call tunneled callbacks in postproxy
types/rlm_eap_ttls/eap_ttls.h
types/rlm_eap_tls/eap_tls.h
move prototype for eapttls_process
types/rlm_eap_peap/eap_peap.h
include rlm_eap.h
types/rlm_eap_peap/rlm_eap_peap.c
types/rlm_eap_ttls/rlm_eap_ttls.c
handle "updated" return code from tunnel handler
types/rlm_eap_peap/peap.c
types/rlm_eap_ttls/ttls.c
hoist reply processing into it's own routine.
handle proxy replies
aland [Sun, 7 Dec 2003 00:22:07 +0000 (00:22 +0000)]
Cosmetic changes in debugging messages
aland [Sun, 7 Dec 2003 00:16:13 +0000 (00:16 +0000)]
De-coupled the input requests from the thread management.
We now have a queue of input requests, which the new requests
get dropped into. Asynchronously from that, the threads wait
on a thread-global semaphore, and then pick up requests from
the queue.
The queue is protected by a mutex, both for adding & deleting
requests.
The threads in the pool no longer have per-thread semaphores.
Semaphores are required here because the main handler thread
has to be able to signal the semaphore, and have that signal
remembered, even if there are no threads currently waiting on
the semaphore. Further, the main handler has to be able to
signal the semaphore multiple times, when there are multiple
requests waiting, and all of the threads are busy.
If a thread wakes up and there is no request for it to process,
it simply goes back to waiting on the sempahore. This makes
the process a little more fail-safe, in that we can ensure that
requests are never left forever in the queue, by signalling the
semaphores more than required.
aland [Fri, 5 Dec 2003 20:49:03 +0000 (20:49 +0000)]
Re-arranged the rad_check_list & proxy_check_list code to make
a little more sense. The main request handling loop which does
select() is now a little smaller.
We now have a packet_ok() function, to see if the incoming packet
is acceptable.
We now have a request_ok() function, which sees if the request
(as a whole) is acceptable.
The old code mixed up a lot of the packet/request checking into
multiple functions which each did packet/request checking. The
new code is a little more straightforward.
The idea is to fix the race condition in the proxy code (bug #7),
and to apply the pending multi-cpu patches, by adding a queue of
requests we're sitting on, but which haven't yet been given to a
thread.
The new code makes it a little clearer as to what changes have
to be made, and where, in order to add those features.
aland [Fri, 5 Dec 2003 18:45:48 +0000 (18:45 +0000)]
container is a ptr, not a ptr to a ptr
Update casts to be prettier
kkalev [Fri, 5 Dec 2003 17:44:29 +0000 (17:44 +0000)]
Add the code to eaptls_ack_handler which was removed in the previous commit.
Add an entry initialized in tls_info_t which is set to 1 by eaptls_msg.
In eaptls_ack_handler check the info elements only if initialized is not set to zero.
If it is set to zero then just return EAPTLS_REQUEST and wait for more data.
kkalev [Fri, 5 Dec 2003 17:40:13 +0000 (17:40 +0000)]
Replace u_int8_t with uint8_t which is the correct one
aland [Fri, 5 Dec 2003 15:38:14 +0000 (15:38 +0000)]
Call pam_end with proper return value, to let the pam libraries
clean up after themselves..
Patch from max liccardo
aland [Thu, 4 Dec 2003 18:27:33 +0000 (18:27 +0000)]
Never mind. Editing the configuration files is simpler.
aland [Thu, 4 Dec 2003 18:26:28 +0000 (18:26 +0000)]
A few simple configuration changes to make iPass support easier
aland [Thu, 4 Dec 2003 16:55:50 +0000 (16:55 +0000)]
As posted to the list by Walter Perris
aland [Wed, 3 Dec 2003 21:56:19 +0000 (21:56 +0000)]
When a REQUEST is proxied, set the option that it's proxied,
instead of keying off of the existence of request->proxy
aland [Wed, 3 Dec 2003 21:55:24 +0000 (21:55 +0000)]
Add the ability to associate arbitrary data with a REQUEST structure.
This should make a number of things much easier...
aland [Wed, 3 Dec 2003 20:18:40 +0000 (20:18 +0000)]
Remove a trailing space after the '\\'. It MUST be the last
character in the line!
kkalev [Wed, 3 Dec 2003 14:32:42 +0000 (14:32 +0000)]
Add a patch from Jon Miner <miner@doit.wisc.edu> to add the ability to configure
various LDAP TLS options
aland [Tue, 2 Dec 2003 19:57:59 +0000 (19:57 +0000)]
Updates.
aland [Tue, 2 Dec 2003 19:25:04 +0000 (19:25 +0000)]
It's a start
kkalev [Tue, 2 Dec 2003 14:21:43 +0000 (14:21 +0000)]
In eaptls_ack_handler delete all relevant code about checking ssl parameters
We are handling an EAP-TLS ACK packet which by definition does not contain
any data. So there's no possibility of these values existing in the first place.
pnixon [Tue, 2 Dec 2003 14:20:28 +0000 (14:20 +0000)]
Karlnet (makes point-to-multipoint software for Lucent APs, and own APs now).
Its VSAs are used for setting operation mode APs and bandwidth parameters of clients
pnixon [Mon, 1 Dec 2003 16:33:11 +0000 (16:33 +0000)]
Added Navini thanks to "Paul Shields" <pshields@navini.com>
kkalev [Sat, 29 Nov 2003 21:22:18 +0000 (21:22 +0000)]
attr_vp->strvalue can sometimes not exist. Use replace_STR instead
pnixon [Sat, 29 Nov 2003 15:44:33 +0000 (15:44 +0000)]
new accounting_update_query for oracle
aland [Fri, 28 Nov 2003 19:32:52 +0000 (19:32 +0000)]
Re-arrange the proxy code, to group the "massage the packet"
code into one area.
pnixon [Fri, 28 Nov 2003 16:20:15 +0000 (16:20 +0000)]
Update AcctSessionTime also on accounting_update packets
pnixon [Fri, 28 Nov 2003 16:06:54 +0000 (16:06 +0000)]
Update some extra fields on accounting_update packets
pnixon [Fri, 28 Nov 2003 16:02:13 +0000 (16:02 +0000)]
Reformat accounting_update_query
pnixon [Fri, 28 Nov 2003 15:57:05 +0000 (15:57 +0000)]
update the acctinputoctets and acctoutputoctets on accounting_update
aland [Thu, 27 Nov 2003 21:45:41 +0000 (21:45 +0000)]
When creating attributes from strings Attr-%, or Vendor-%d-Attr-%d,
look the parsed attributes up in the dictionary, and use the name
and type from there (after parsing the octets)
This "normalizes" the names and values for the attributes...
aland [Thu, 27 Nov 2003 20:54:53 +0000 (20:54 +0000)]
Parse Attr-%d and Vendor-%d-Attr-%d into VALUE_PAIR's, as the
named attribute isn't in the dictionary.
We should probably fix the function to double-check the dictionary
for the attribute, and use that correct name, if it exists...
This fixes bugzilla #8
aland [Thu, 27 Nov 2003 19:21:15 +0000 (19:21 +0000)]
A little bit of future-proofing, for other vendors who have
4-octet VSA's. The code isn't done yet, but it's a little more
obvious as to what has to be done to support it, and why.
aland [Thu, 27 Nov 2003 16:57:17 +0000 (16:57 +0000)]
Fail authentication if the User-Name attribute changes value
in the middle of the authentication process, or if the User-Name
attribute doesn't match the EAP-Identity
Patch from Michael Griego
aland [Thu, 27 Nov 2003 16:43:38 +0000 (16:43 +0000)]
Handle vendor codes larger than 16 bits.
aland [Thu, 27 Nov 2003 15:43:38 +0000 (15:43 +0000)]
The 'indictors' array should be long-lived, and not allocated on
the stack.
Patch from Michael Wins
aland [Wed, 26 Nov 2003 22:51:02 +0000 (22:51 +0000)]
Use paircreate(), rather than our own malloc(), to create VP's.
This avoids a lot of the problems with respect to doing our own
dictionary lookups...
Removed all references to 'attr->' from rad_decode(). It's no longer
necessary, and was being used without checking if attr was NULL
(which it could be, but not in the code de-referencing it)
Yuck. Smaller, simpler code is better.
aland [Wed, 26 Nov 2003 21:51:36 +0000 (21:51 +0000)]
Patch to better use include/lib directories, and keep track of -lz
aland [Wed, 26 Nov 2003 21:21:12 +0000 (21:21 +0000)]
rad_decode() now checks the VSA the first time it runs into
Vendor-Specific. If it looks like an RFC-compatible VSA, then
it uses that.
If it looks like a USR style VSA, then it uses that.
If it doesn't look like anything intelligent (i.e. certain vendors
who shall remain nameless), then it leaves the attribute as
Vendor-Specific, of type 'octets'.
This makes the server a little more flexible...
aland [Wed, 26 Nov 2003 20:56:40 +0000 (20:56 +0000)]
Moved trailing 'Ascend' on each attribute to BEGIN/END-VENDOR
blocks. This makes the dictionary a little prettier, and also
allows the 'encrypt=3' stuff to work.
aland [Wed, 26 Nov 2003 20:42:51 +0000 (20:42 +0000)]
Added 'encrypt=3' to the dictionaries, to avoid having the code
in radius.c add the flags manually
aland [Wed, 26 Nov 2003 20:34:24 +0000 (20:34 +0000)]
VSA's of length 6 are disallowed.
VSA's with vendor ID of zero are disallowed.
aland [Wed, 26 Nov 2003 20:11:39 +0000 (20:11 +0000)]
Removed code in rad_recv() which tried to verify the correct
format of VSA's. Too many vendors have too many stupid VSA formats
to make this check worth-while.
aland [Wed, 26 Nov 2003 18:51:32 +0000 (18:51 +0000)]
Unlock the list AFTER we've finished mucking with it, not before.
Patch from Michael Griego
aland [Wed, 26 Nov 2003 15:54:37 +0000 (15:54 +0000)]
Updated return codes & error checks.
Finalized change from last commit: n -> n2 inside of the loop, too
aland [Wed, 26 Nov 2003 15:45:29 +0000 (15:45 +0000)]
Allow sql module to be disabled at configure time.
aland [Tue, 25 Nov 2003 19:18:11 +0000 (19:18 +0000)]
Assert that the expected schema is returned
aland [Tue, 25 Nov 2003 16:03:17 +0000 (16:03 +0000)]
RADIUS attributes can be up to ~256 bytes long.
This is the pam_smb vulnerability from a while ago...
mcr [Sat, 22 Nov 2003 00:21:17 +0000 (00:21 +0000)]
send the encryption keys to the AccessPoint.
mcr [Sat, 22 Nov 2003 00:20:50 +0000 (00:20 +0000)]
the version list attribute's length of versions is in bytes,
not entries.
mcr [Sat, 22 Nov 2003 00:10:18 +0000 (00:10 +0000)]
the version list attribute's length of versions is in bytes,
not entries.
mcr [Sat, 22 Nov 2003 00:09:49 +0000 (00:09 +0000)]
add a second #ifdef in case we need to dump keys in production.
mcr [Fri, 21 Nov 2003 19:15:51 +0000 (19:15 +0000)]
rename "SIM-Chal" to "SIM-Rand" to sync with names in official
documentation.
mcr [Fri, 21 Nov 2003 19:02:51 +0000 (19:02 +0000)]
updates to test for new RAND attribute packing.
mcr [Fri, 21 Nov 2003 19:02:19 +0000 (19:02 +0000)]
pack the RAND attribute properly - should have 2 bytes
reserved.
mcr [Fri, 21 Nov 2003 19:01:59 +0000 (19:01 +0000)]
make sure that we are using the right sizes for the SHA1 key.
mcr [Fri, 21 Nov 2003 19:01:24 +0000 (19:01 +0000)]
verify that the RAND that was sent matches the one we were
told about - this found a bug in attribute packing.
mcr [Fri, 21 Nov 2003 19:00:50 +0000 (19:00 +0000)]
always turn on SHA1 debugging, but have a run-time flag.
mcr [Fri, 21 Nov 2003 19:00:29 +0000 (19:00 +0000)]
rename "SIM-Chal" to "SIM-Rand" to sync with names in official
documentation.
mcr [Fri, 21 Nov 2003 18:59:54 +0000 (18:59 +0000)]
update documentation on EAP-SIM to .12.
mcr [Fri, 21 Nov 2003 01:20:57 +0000 (01:20 +0000)]
use HOSTINFO and RADIUS_VERSION variables
use OPENSSL_LIBS and OPENSSL_INCLUDES variables
mcr [Fri, 21 Nov 2003 01:20:30 +0000 (01:20 +0000)]
regenerated configure scripts.
mcr [Fri, 21 Nov 2003 01:20:08 +0000 (01:20 +0000)]
added abs_top_builddir to be 2.13/2.57 compatible.
added OPENSSL_LIBS/OPENSSL_INCLUDES variable
added HOSTINFO variable
removed explicit append to src/include/autoconf.h.
mcr [Fri, 21 Nov 2003 01:17:28 +0000 (01:17 +0000)]
this seems to be a duplicate prototype.
mcr [Fri, 21 Nov 2003 01:16:53 +0000 (01:16 +0000)]
some more UNUSED markings.
mcr [Fri, 21 Nov 2003 01:16:36 +0000 (01:16 +0000)]
fix some signed/unsigned warnings.
mcr [Fri, 21 Nov 2003 01:16:13 +0000 (01:16 +0000)]
cast to unsigned.
mcr [Fri, 21 Nov 2003 01:15:50 +0000 (01:15 +0000)]
use unsigned counter for second loop.
mcr [Fri, 21 Nov 2003 01:15:35 +0000 (01:15 +0000)]
use size_t for lengths.
mcr [Fri, 21 Nov 2003 01:15:15 +0000 (01:15 +0000)]
match prototype to definition.
mcr [Thu, 20 Nov 2003 22:45:24 +0000 (22:45 +0000)]
fixes for EAP key length.
mcr [Thu, 20 Nov 2003 22:43:09 +0000 (22:43 +0000)]
added EAP-Type values.
mcr [Thu, 20 Nov 2003 22:36:46 +0000 (22:36 +0000)]
#if and #ifdef are different, and this situation requires #ifdef.
mcr [Thu, 20 Nov 2003 22:36:23 +0000 (22:36 +0000)]
mark arguments as UNUSED.
mcr [Thu, 20 Nov 2003 22:35:46 +0000 (22:35 +0000)]
introduce temporary variable so that "builtin" htonl()
definitions do not get complaints about _v shadowing global.
mcr [Thu, 20 Nov 2003 22:35:05 +0000 (22:35 +0000)]
change prototype to use "size_t" since it is a buffer size,
and should never be negative.
mcr [Thu, 20 Nov 2003 22:34:32 +0000 (22:34 +0000)]
added defines for gcc extensions, so they can be used,
particularly "UNUSED" for arg lists.
mcr [Thu, 20 Nov 2003 22:32:00 +0000 (22:32 +0000)]
added "TAGS" target.
aland [Thu, 20 Nov 2003 19:15:50 +0000 (19:15 +0000)]
Simplified rad_send()
aland [Thu, 20 Nov 2003 19:14:57 +0000 (19:14 +0000)]
Don't loop forever
aland [Thu, 20 Nov 2003 17:45:42 +0000 (17:45 +0000)]
Any Access-Request which contains a Tunnel-Password attribute
would cause the server to crash. It now causes the packet
to be rejected.
Re-wrote rad_tunnel_pwdecode() to be a bit more robust on its
input, and to make a little more sense to me...
aland [Thu, 20 Nov 2003 15:37:56 +0000 (15:37 +0000)]
Check for tags only if the 'length' field says there's sufficient
room for one.
kkalev [Thu, 20 Nov 2003 14:46:47 +0000 (14:46 +0000)]
Remove the 'AND AcctStopTime = 0' from the corresponding sql queries. This check
can lead to duplicate entries in the database. We prefer to just update the same
row a few times than have duplicate data
aland [Wed, 19 Nov 2003 20:33:03 +0000 (20:33 +0000)]
Check the sub-sections of authorize{}, authenticate{}, etc.
They SHOULD be Autz-Type, Auth-Type, etc.
Complain if they're not
cparker [Tue, 18 Nov 2003 22:51:57 +0000 (22:51 +0000)]
Updated to add conditional inclusion of <stdint.h> for systems that define
uint8_t there, such as Mac OS X.
aland [Tue, 18 Nov 2003 22:12:12 +0000 (22:12 +0000)]
Include autoconf.h, so we can get types defined...
aland [Tue, 18 Nov 2003 20:43:58 +0000 (20:43 +0000)]
Clean up printing of debug information, so it doesn't screw things
up when it's not supposed to be printed.
aland [Tue, 18 Nov 2003 20:43:13 +0000 (20:43 +0000)]
Check for clients which don't pad AVP's to a 4 octet boundary
aland [Mon, 17 Nov 2003 21:12:33 +0000 (21:12 +0000)]
rlm_eap depends on libeap...
aland [Mon, 17 Nov 2003 21:09:42 +0000 (21:09 +0000)]
u_int -> uint
aland [Mon, 17 Nov 2003 21:06:06 +0000 (21:06 +0000)]
Added libtool --finish, which is apparently needed...
Patch from Nicolas Baradakis
aland [Mon, 17 Nov 2003 20:41:49 +0000 (20:41 +0000)]
If we see trailing '%', '$', or '\\' at the end of a string
during xlat, then copy that character to the output
kkalev [Mon, 17 Nov 2003 18:10:27 +0000 (18:10 +0000)]
Add a new configuration directive, do_xlat (default: yes). If set we use pairxlatmove
on the radius attributes, else we fall back to the plain old pairadd. That way people
can fall back on the 0.8.1 behaviour without making changes to their ldap database or
gain a little performance by not using pairxlatmove
pnixon [Mon, 17 Nov 2003 12:27:39 +0000 (12:27 +0000)]
Doco: A timestamp that is preceded by an asterisk (*) or a dot (.) may not be accurate. An asterisk (*) means that after a gateway reboot, the gateway clock was not manually set and the gateway has not synchronized with an NTP server yet. A dot (.) means the gateway NTP has lost synchronization with an NTP server.
kkalev [Sun, 16 Nov 2003 23:51:01 +0000 (23:51 +0000)]
Add a note about also using the AcctUniqueId in the accounting_stop which
can result in less candidate rows for the sql server to search for when
executing the query
mcr [Fri, 14 Nov 2003 03:47:06 +0000 (03:47 +0000)]
include pointer to openssl include directory so that the
right openssl headers are used.
vorlon [Sun, 9 Nov 2003 06:01:06 +0000 (06:01 +0000)]
Support for configurable keytab locations and service principal names
Remove superfluous debugging statement
aland [Sat, 8 Nov 2003 14:25:41 +0000 (14:25 +0000)]
Corrected typo, and increased max eap types
aland [Fri, 7 Nov 2003 15:26:53 +0000 (15:26 +0000)]
If the user sends a NAK with an EAP type, and their configuration
says "EAP-Type := FOO', then reject them if they didn't ask for FOO.
This makes EAP work like PAP/CHAP/etc. The server usually figures
out on its own how to authenticate a user, but if a user is
required to use authentication method FOO, then any attempt to
use a method other than FOO gets rejected
kkalev [Fri, 7 Nov 2003 12:58:46 +0000 (12:58 +0000)]
Add some debug statements when we do a bind operation
aland [Thu, 6 Nov 2003 19:27:19 +0000 (19:27 +0000)]
Don't check for 'unsigned int' to be > 0, it's always true.
aland [Thu, 6 Nov 2003 15:41:21 +0000 (15:41 +0000)]
u_int -> uint
aland [Thu, 6 Nov 2003 15:37:24 +0000 (15:37 +0000)]
Update includes to work a little better