Alan T. DeKok [Sun, 29 Apr 2012 13:06:31 +0000 (15:06 +0200)]
Fix typo
Alan T. DeKok [Sun, 29 Apr 2012 10:52:27 +0000 (12:52 +0200)]
Make ASCII versions of counters auto 32/64 bit
Alan T. DeKok [Sun, 29 Apr 2012 10:44:24 +0000 (12:44 +0200)]
Use the correct type for statistics counters
Alan T. DeKok [Sun, 29 Apr 2012 08:16:44 +0000 (10:16 +0200)]
Allow referencing tags in xlat
%{Tunnel-Type:1} works, and is the same as
%{Tunnel-Type:1[0]}
All of the other expansions now work, too
Alan T. DeKok [Sun, 29 Apr 2012 07:47:06 +0000 (09:47 +0200)]
Renamed "extended-flags" to "long-extended"
To match the latest specifications.
Alan T. DeKok [Thu, 26 Apr 2012 11:30:31 +0000 (13:30 +0200)]
Note that raddebug can be used
Alan T. DeKok [Sun, 22 Apr 2012 15:20:07 +0000 (17:20 +0200)]
Fix typo
Alan T. DeKok [Sun, 22 Apr 2012 08:34:14 +0000 (10:34 +0200)]
Move / add header files
Includes belong AFTER the main includes, not before
Alan T. DeKok [Tue, 17 Apr 2012 16:07:07 +0000 (18:07 +0200)]
Auto-calculate the CHAP-Password
As before, *unless* it's 17 hex digits. In that case, leave it alone.
Alan T. DeKok [Tue, 17 Apr 2012 15:28:27 +0000 (17:28 +0200)]
Fix typo in parsing limit configuration
Alan T. DeKok [Tue, 17 Apr 2012 13:35:50 +0000 (15:35 +0200)]
Word smithing
Alan T. DeKok [Tue, 17 Apr 2012 13:35:08 +0000 (15:35 +0200)]
Fix typo
Arran Cudbard-Bell [Sun, 15 Apr 2012 18:53:16 +0000 (20:53 +0200)]
Add git post-receive hook for configuration updates
Alan T. DeKok [Sun, 15 Apr 2012 12:06:35 +0000 (14:06 +0200)]
LDAPS port is 636, not 689
Alan T. DeKok [Sun, 15 Apr 2012 12:04:16 +0000 (14:04 +0200)]
Document "port" entry for LDAP
Alan T. DeKok [Sun, 15 Apr 2012 09:47:22 +0000 (11:47 +0200)]
Move connection limiting code to its own data structure
So that it can be shared among home servers, clients, and
listeners.
Enable tcp socket timers for incoming packets, too.
This uses the same code as for outgoing home servers.
Alan T. DeKok [Fri, 13 Apr 2012 14:58:54 +0000 (16:58 +0200)]
Added "instance" to xlat_unregister
This is so that on HUP, a module can re-register, and over-ride
the old value. When the old module is deleted, it de-registers
its xlat. But because the instance is now different, it doesn't
delete the *new* xlat
Alan T. DeKok [Thu, 12 Apr 2012 15:54:43 +0000 (17:54 +0200)]
Don't complain if we find an NT-Password
just like we suppress complains for finding a User-Password
Matthew Newton [Sun, 8 Apr 2012 21:02:55 +0000 (22:02 +0100)]
don't chgrp syslog
Matthew Newton [Sun, 8 Apr 2012 20:26:28 +0000 (21:26 +0100)]
don't segfault when invalid eap types in config
Matthew Newton [Sun, 8 Apr 2012 20:07:33 +0000 (21:07 +0100)]
eap-tls is no longer required for ttls or peap
Alan T. DeKok [Fri, 6 Apr 2012 13:19:46 +0000 (15:19 +0200)]
Re-order LIBS <-> -lpthread
-lpthread MAY need other libraries. So adding it first is a good idea.
Manual merge of
fd10e3b40
Alan T. DeKok [Thu, 5 Apr 2012 15:49:20 +0000 (17:49 +0200)]
Added dictionary.terena
Alan T. DeKok [Wed, 4 Apr 2012 08:43:32 +0000 (09:43 +0100)]
Build a library, not an executable
Alan T. DeKok [Tue, 3 Apr 2012 10:31:33 +0000 (11:31 +0100)]
Allow for new state transition on failure
if our RESPONSE gets a FAILURE message, it means that the
supplicant doesn't like our password. Rather than complaining
about unexpected response, just send failure.
Manual pull of
f26dcc5f45
Alan T. DeKok [Tue, 3 Apr 2012 10:28:26 +0000 (11:28 +0100)]
EAP-PWD RFC
Alan T. DeKok [Wed, 28 Mar 2012 15:14:56 +0000 (17:14 +0200)]
There might not be a reply
Alan T. DeKok [Wed, 28 Mar 2012 14:49:13 +0000 (16:49 +0200)]
Added '-name" to conditionally load a module
Now that we have mods-enabled, we can more easily conditionally
load a module.
Bjørn Mork [Tue, 27 Mar 2012 08:57:36 +0000 (10:57 +0200)]
Decode encrypted VSAs in requests
Incoming CoA requests can contain encrypted VSAs. At least one
vendor is known to use this. These VSAs must be decrypted before
being proxied to enable the server to re-encrypt them using
the correct home server secret.
Fix by attempting to decode any encrypted request attribute using
a static vector of \0 bytes.
This also fixes debug logging of encrypted request attributes.
Signed-off-by: Bjørn Mork <bjorn@mork.no>
Alan T. DeKok [Tue, 27 Mar 2012 07:20:52 +0000 (09:20 +0200)]
Depend on curl/curl.h
Alan T. DeKok [Tue, 27 Mar 2012 07:17:57 +0000 (09:17 +0200)]
Move to using configure
Alan T. DeKok [Tue, 27 Mar 2012 07:14:28 +0000 (09:14 +0200)]
This isn't needed
Alan T. DeKok [Tue, 27 Mar 2012 07:12:06 +0000 (09:12 +0200)]
This isn't needed
Alan T. DeKok [Tue, 27 Mar 2012 07:10:40 +0000 (09:10 +0200)]
Add newline.
C compiles hate files which don't end in a newline
Alan T. DeKok [Thu, 15 Mar 2012 21:37:22 +0000 (17:37 -0400)]
Added "Interim-Update" as a copy of "Alive"
Alan T. DeKok [Thu, 15 Mar 2012 13:03:22 +0000 (09:03 -0400)]
Set "close on exec" flag
Just to be safe.
Alan T. DeKok [Fri, 16 Mar 2012 15:47:54 +0000 (11:47 -0400)]
request_proxy_anew MAY get packets which aren't in the proxy hash
Because the socket got closed due to inactivity, errors, etc.
So check for that, and handle that case
Also handle the case of request_proxy() getting a request which
is already in the proxy hash.
Alan T. DeKok [Fri, 16 Mar 2012 15:46:41 +0000 (11:46 -0400)]
DUP proxied packets don't re-set the timer
So that the child threads don't mangle the main thread event loop
Alan T. DeKok [Tue, 13 Mar 2012 12:26:52 +0000 (08:26 -0400)]
Added checks for openssl/ec.h
Alan T. DeKok [Sat, 10 Mar 2012 14:12:50 +0000 (15:12 +0100)]
Ensure that configurtion items have sane values
Alan T. DeKok [Fri, 9 Mar 2012 08:23:57 +0000 (09:23 +0100)]
Added support for {BASE64_MD5}
Alan T. DeKok [Thu, 8 Mar 2012 07:52:36 +0000 (08:52 +0100)]
Set self request to NULL
Which allows spare threads to be cleaned up
Alan T. DeKok [Wed, 7 Mar 2012 12:35:14 +0000 (13:35 +0100)]
Remove leading whitespace
Alan T. DeKok [Wed, 7 Mar 2012 09:34:45 +0000 (10:34 +0100)]
iRFC which references new attribute(s)
Alan T. DeKok [Wed, 7 Mar 2012 09:34:29 +0000 (10:34 +0100)]
Clarify changes
Alan T. DeKok [Wed, 7 Mar 2012 09:32:55 +0000 (10:32 +0100)]
Don't try to lock the proxy mutex twice
Change "remove_all_proxied_requests" to call a "no lock" version
of "remove_from_proxy_hash". Then, DON'T mark the request as
"done". Instead, allow the client to retransmit, and thus re-send
the proxied request
Alan T. DeKok [Tue, 6 Mar 2012 11:38:37 +0000 (12:38 +0100)]
Check expansion in cf_expand_variables
Closes Debian bug #662194
Alan T. DeKok [Mon, 5 Mar 2012 10:24:53 +0000 (11:24 +0100)]
Fix for OSX Lion
Dan Harkins [Mon, 5 Mar 2012 09:52:42 +0000 (10:52 +0100)]
32/64 bit portability fixes
Matthew Newton [Sat, 3 Mar 2012 13:31:45 +0000 (13:31 +0000)]
Update raddb eap config - add tls option to the TTLS config section
Matthew Newton [Sat, 3 Mar 2012 13:29:27 +0000 (13:29 +0000)]
Add initiate code to rlm_eap_ttls, remove dependency on rlm_eap_tls
Matthew Newton [Sat, 3 Mar 2012 13:24:48 +0000 (13:24 +0000)]
Update raddb eap config - add tls option to the PEAP config section
Alan T. DeKok [Sun, 4 Mar 2012 09:41:41 +0000 (10:41 +0100)]
Move common TLS configuration into tls-config
Matthew Newton [Sat, 3 Mar 2012 13:20:17 +0000 (13:20 +0000)]
Give rlm_eap_peap an initiate function and remove dependency on rlm_eap_tls
Alan T. DeKok [Sun, 4 Mar 2012 09:39:55 +0000 (10:39 +0100)]
emoved unnecessary variable
Matthew Newton [Fri, 2 Mar 2012 21:30:07 +0000 (21:30 +0000)]
Split eap_tls initiate function, move session handling code into libeap/eaptls.c
Matthew Newton [Sat, 3 Mar 2012 15:00:11 +0000 (15:00 +0000)]
Move rlm_eap_tls TLS-specific config into user-specified section (given by new tls= option)
Matthew Newton [Wed, 29 Feb 2012 08:23:35 +0000 (08:23 +0000)]
Cache result of parsing server/client tls configs, so we don't have to do it
repeatedly. This means tls_server_conf_free no longer needs to be called, as
it will be freed up automatically.
Alan T. DeKok [Sun, 4 Mar 2012 08:54:22 +0000 (09:54 +0100)]
Forgot to commit the new attribute for queue %
Alan T. DeKok [Sat, 3 Mar 2012 18:53:56 +0000 (19:53 +0100)]
PWD sample file
Alan T. DeKok [Sat, 3 Mar 2012 18:26:57 +0000 (19:26 +0100)]
Rely on pointer for malloc/free
which seems to remove "double free" error
Alan T. DeKok [Sat, 3 Mar 2012 08:20:49 +0000 (09:20 +0100)]
Set src_ipaddr for STATUS_SERVER packets
Alan T. DeKok [Tue, 28 Feb 2012 12:56:59 +0000 (13:56 +0100)]
Fix typo
Alan T. DeKok [Mon, 27 Feb 2012 09:35:58 +0000 (10:35 +0100)]
Configure scripts for EAP-PWD
Alan T. DeKok [Fri, 24 Feb 2012 12:57:15 +0000 (13:57 +0100)]
Document auto_limit_acct and max_pps
Alan T. DeKok [Thu, 23 Feb 2012 15:29:28 +0000 (16:29 +0100)]
Use correct structure for TLS fragment size
set ssn->offset, and use that in proxy_tls_recv
Alan T. DeKok [Thu, 23 Feb 2012 14:16:18 +0000 (15:16 +0100)]
Add queue parameters to accounting config items
If auto_limit_acct is set, then
FreeRADIUS-Queue-PPS-In
FreeRADIUS-Queue-PPS-Out
FreeRADIUS-Queue-Use-Percentage
are added to the control items for accounting packets.
This allows the administrator to create policies which kick in
only when the server is loaded.
Alan T. DeKok [Thu, 23 Feb 2012 14:10:06 +0000 (15:10 +0100)]
Start at 181, not 180
Alan T. DeKok [Thu, 23 Feb 2012 13:02:12 +0000 (14:02 +0100)]
Export Queue PPS in/out via the "status" interface
Alan T. DeKok [Thu, 23 Feb 2012 12:04:31 +0000 (13:04 +0100)]
Client certs are signed by the CA, not by the server
Alan T. DeKok [Wed, 22 Feb 2012 08:25:18 +0000 (09:25 +0100)]
Use names for logging parameters, and correct values
Alan T. DeKok [Thu, 23 Feb 2012 09:11:46 +0000 (10:11 +0100)]
Document fragment_size for RadSec
The comments about EAP and ethernet frames are no longer
relevant
Alan T. DeKok [Thu, 23 Feb 2012 09:04:23 +0000 (10:04 +0100)]
Set TLS receive buffer from fragment size
TLS over TCP can send 64K TLS packets. We need to be able to
handle that.
Alan T. DeKok [Thu, 23 Feb 2012 08:25:15 +0000 (09:25 +0100)]
Lower the impact of auto_limit_acct when it's disabled
Alan T. DeKok [Wed, 22 Feb 2012 16:19:48 +0000 (17:19 +0100)]
dded auto limiting for accounting packets.
If the thread queue is emptying more slowly than it's filling,
then start throwing away accounting packets.
Alan T. DeKok [Wed, 22 Feb 2012 15:43:30 +0000 (16:43 +0100)]
Moved PPS calculations to a utility function
Alan T. DeKok [Wed, 22 Feb 2012 15:37:26 +0000 (16:37 +0100)]
Conditional compilation. Curl might not have TLS
Alan T. DeKok [Wed, 22 Feb 2012 10:31:38 +0000 (11:31 +0100)]
Build EAP-PWD only if we're using OpenSSL
Arran Cudbard-Bell [Wed, 22 Feb 2012 09:37:17 +0000 (10:37 +0100)]
Fix content of demo http server
Arran Cudbard-Bell [Wed, 22 Feb 2012 08:53:32 +0000 (09:53 +0100)]
Merge branch 'master' of github.com:alandekok/freeradius-server
Arran Cudbard-Bell [Wed, 22 Feb 2012 08:53:19 +0000 (09:53 +0100)]
Move rest config to new mods-available directory
Alan T. DeKok [Wed, 22 Feb 2012 08:51:59 +0000 (09:51 +0100)]
Move to correct place
Alan T. DeKok [Wed, 22 Feb 2012 08:50:55 +0000 (09:50 +0100)]
Fix typo
Alan T. DeKok [Wed, 22 Feb 2012 08:38:46 +0000 (09:38 +0100)]
Note recent changes
Alan DeKok [Wed, 22 Feb 2012 08:37:49 +0000 (00:37 -0800)]
Merge pull request #50 from arr2036/rlm_rest
Add rlm_rest which does REST calls to an external HTTP server.
Alan T. DeKok [Wed, 22 Feb 2012 08:25:18 +0000 (09:25 +0100)]
Use names for logging parameters, and correct values
Alan T. DeKok [Tue, 21 Feb 2012 17:07:23 +0000 (18:07 +0100)]
Better fix for fixed point computations
So if rate_pps < 1000, we can still count it.
Alan T. DeKok [Tue, 21 Feb 2012 16:51:08 +0000 (17:51 +0100)]
Add rate limiting for network sockets
via "max_pps" in the "listen" section. It takes a count of the
packets received in the last second. If it's over max_pps, the
new packet is ignored. Otherwise, it's allowed.
We probably should instead have adaptive rate limiting based on
how many packets/s *finish* processing. But that's harder to do
for now.
Alan T. DeKok [Tue, 21 Feb 2012 13:54:08 +0000 (14:54 +0100)]
Added virtual server support
To make it simpler, and like the rest of the system
Alan T. DeKok [Tue, 21 Feb 2012 08:08:44 +0000 (09:08 +0100)]
Warn if we can't shut down modules cleanly
Alan T. DeKok [Tue, 21 Feb 2012 08:08:27 +0000 (09:08 +0100)]
Don't close connections that are in use.
Alan T. DeKok [Tue, 21 Feb 2012 07:57:49 +0000 (08:57 +0100)]
Try to use identity from SIM protocol, not EAP-Identity
Dan Harkins [Tue, 21 Feb 2012 08:15:53 +0000 (09:15 +0100)]
Sample configuration for EAP-PWD
Alan T. DeKok [Tue, 21 Feb 2012 08:13:53 +0000 (09:13 +0100)]
Make files so that EAP-PWD builds
Dan Harkins [Tue, 21 Feb 2012 08:12:24 +0000 (09:12 +0100)]
EAP-PWD Implementation
http://ietf.org/rfc/rfc5931.txt
Alan T. DeKok [Tue, 21 Feb 2012 08:10:42 +0000 (09:10 +0100)]
Define name and value for EAP-PWD
Arran Cudbard-Bell [Mon, 10 Oct 2011 18:20:44 +0000 (20:20 +0200)]
Initial commit of rlm_rest module
Add library independent streaming JSON generator
Add library independent streaming POST generator
Add support for parsing JSON and POST responses
Add support for parsing do_xlat and is_json flags in JSON responses
Add function to emulate CURLs multiple calls to the JSON generator when in stream mode, to allow transfer of data as a single contiguous block
Deduplicate truncation detection code.
Improvde consistancy of documentation.
Replace 1, 0 return codes with TRUE/FALSE macros.
Slightly better version of rest_uri_build
Add tables for auth types
Add a bunch of formatting fixes and extra options for SSL certs in curl
Alan T. DeKok [Fri, 17 Feb 2012 14:19:29 +0000 (15:19 +0100)]
Document MySQL character set issues
Patch from Stefan Winter
Alan T. DeKok [Fri, 17 Feb 2012 10:19:50 +0000 (11:19 +0100)]
New dictionary
Alan T. DeKok [Mon, 13 Feb 2012 19:59:29 +0000 (20:59 +0100)]
Added User-Role attribute