Alan DeKok [Thu, 20 Oct 2011 21:33:59 +0000 (14:33 -0700)]
Merge pull request #26 from philmayers/fix-sess-cache
use the OpenSSL ex_data functions to allocate an index w/ free function t
Phil Mayers [Thu, 20 Oct 2011 20:52:54 +0000 (21:52 +0100)]
use the OpenSSL ex_data functions to allocate an index w/ free function to hold the cached VPs
Alan T. DeKok [Thu, 20 Oct 2011 12:24:09 +0000 (14:24 +0200)]
Tell OpenSSL that the data is gone
Alan T. DeKok [Wed, 19 Oct 2011 15:46:17 +0000 (17:46 +0200)]
Quiet compiler warning
Alan T. DeKok [Wed, 19 Oct 2011 15:43:28 +0000 (17:43 +0200)]
Initialize the structure
Alan T. DeKok [Wed, 19 Oct 2011 15:43:15 +0000 (17:43 +0200)]
Initialize all of the structure
Alan T. DeKok [Wed, 19 Oct 2011 15:39:45 +0000 (17:39 +0200)]
Free memory on error
Alan T. DeKok [Wed, 19 Oct 2011 15:38:56 +0000 (17:38 +0200)]
Free memory on instantiation error
Alan T. DeKok [Wed, 19 Oct 2011 15:37:16 +0000 (17:37 +0200)]
Free memory on error
Alan T. DeKok [Wed, 19 Oct 2011 15:35:56 +0000 (17:35 +0200)]
Close fp on error
Alan T. DeKok [Wed, 19 Oct 2011 15:34:01 +0000 (17:34 +0200)]
Call closedir() on error
Alan T. DeKok [Wed, 19 Oct 2011 15:26:36 +0000 (17:26 +0200)]
Catch case where User-Name may be > 250 octets
Alan T. DeKok [Wed, 19 Oct 2011 15:20:37 +0000 (17:20 +0200)]
Only "string" can have "encrypt=2"
Alan T. DeKok [Wed, 19 Oct 2011 15:08:58 +0000 (17:08 +0200)]
Add FALL-THROUGH for 'case' without 'break'
Alan T. DeKok [Wed, 19 Oct 2011 15:05:25 +0000 (17:05 +0200)]
Unlink file only if it exists
Alan T. DeKok [Wed, 19 Oct 2011 15:04:05 +0000 (17:04 +0200)]
Check auth_pool_name
Alan T. DeKok [Wed, 19 Oct 2011 15:02:06 +0000 (17:02 +0200)]
Add port if it's available
Alan T. DeKok [Wed, 19 Oct 2011 15:01:54 +0000 (17:01 +0200)]
Check passed parameter
Alan T. DeKok [Wed, 19 Oct 2011 14:59:52 +0000 (16:59 +0200)]
Error if there is no detail file listener
Alan T. DeKok [Wed, 19 Oct 2011 14:54:40 +0000 (16:54 +0200)]
Fix sizeof() checks found by coverity
Alan T. DeKok [Wed, 19 Oct 2011 12:04:47 +0000 (14:04 +0200)]
Clean up error message so it makes more sense
Alan T. DeKok [Wed, 19 Oct 2011 08:37:17 +0000 (10:37 +0200)]
Move "free cached VPs" to the correct location
They're freed when SSL says that the session is free'd.
Not when we think we're closing the session.
SSL might cache it.
Arran Cudbard-Bell [Tue, 18 Oct 2011 09:14:59 +0000 (11:14 +0200)]
Re-alphabetise one char expansions
Arran Cudbard-Bell [Tue, 18 Oct 2011 09:06:25 +0000 (02:06 -0700)]
Merge pull request #11 from amne/master
new var in xlat: %G request minute
Alan T. DeKok [Tue, 18 Oct 2011 06:37:21 +0000 (08:37 +0200)]
Switch to SHA1 for message digest
MD5 has been attacked. We shouldn't use it
Alan T. DeKok [Tue, 18 Oct 2011 06:37:05 +0000 (08:37 +0200)]
Update dependencies so that it works in more situations
Alan T. DeKok [Mon, 17 Oct 2011 19:49:08 +0000 (21:49 +0200)]
Release the mutex lock when trying to make a new connection
The DB might be down, and it could take a LONG time to open
a new connection. Instead of holding the mutex lock for long
periods of time, we set a flag saying "spawning", and release
the lock. This lets other threads access the connection pool,
to get open && active connections.
The result is that there are fewer situations where the server
blocks
Alan T. DeKok [Mon, 17 Oct 2011 19:22:09 +0000 (21:22 +0200)]
Add undocumented "lazy init" configuration.
This allows the connection pool to return on init,
even if it's unable to make any new connections. The result
is that the server can start even when the back-end DB is down.
That's nearly always a bad idea, but it's easy enough to do
with the new connection pool code.
Alan T. DeKok [Mon, 17 Oct 2011 19:18:56 +0000 (21:18 +0200)]
Clean up spare connections on release
This mirrors the "spawn new connections on get" functionality.
Also, remember when we last failed to connect. When that happens,
we continue to use existing connections, but we don't open new
connections for one second. This behavior ensures that incoming
requests will still be processed quickly, even when the back-end
database is down.
Alan T. DeKok [Mon, 17 Oct 2011 19:06:48 +0000 (21:06 +0200)]
Remove unused configuration parameters
Alan T. DeKok [Mon, 17 Oct 2011 16:38:23 +0000 (18:38 +0200)]
Alive isn't used. Don't require it
Alan T. DeKok [Mon, 17 Oct 2011 16:20:18 +0000 (18:20 +0200)]
Document new "pool" subsection
Alan T. DeKok [Mon, 17 Oct 2011 16:15:28 +0000 (18:15 +0200)]
Removed knowledge of sqlsocket->id
The drivers have no business using it
Arran Cudbard-Bell [Mon, 17 Oct 2011 15:41:55 +0000 (17:41 +0200)]
Make Class value more unique
Arran Cudbard-Bell [Mon, 17 Oct 2011 15:35:07 +0000 (17:35 +0200)]
Add one char expansion for RADIUS request ID
Alan T. DeKok [Mon, 17 Oct 2011 15:41:25 +0000 (17:41 +0200)]
Added F5 dictionary, as posted to the list
Alan T. DeKok [Mon, 17 Oct 2011 12:44:14 +0000 (14:44 +0200)]
Tie radrelay && detail writer together
So that people can read the documentation and examples
and have it work
Alan T. DeKok [Mon, 17 Oct 2011 14:40:50 +0000 (16:40 +0200)]
Hack to work around race condition
We may give up on a proxied packet (and set proxy_listener = NULL)
just as we're receiving a duplicate packet from the NAS. In that
case, we catch it, and do nothing
Alan T. DeKok [Mon, 17 Oct 2011 11:50:45 +0000 (13:50 +0200)]
Make vp_print_name return size_t
which makes more sense
Alan T. DeKok [Sun, 16 Oct 2011 03:03:34 +0000 (05:03 +0200)]
Fix weird issue where it wouldn't update Stripped-User-Name
suffix
update request {
Stripped-User-Name := "%{Stripped-User-Name}@bar.com"
}
would result in Stripped-User-Name being unchanged.
The code was the same as 2.1.x, which worked.
The new code has the benefit of working, and has one less pass
over the input list
Alan T. DeKok [Sun, 16 Oct 2011 02:32:40 +0000 (04:32 +0200)]
Use new connection pool API
Alan T. DeKok [Sun, 16 Oct 2011 02:21:32 +0000 (04:21 +0200)]
Correct logic in reconnect
Only complain once per second.
Return correct handle
Alan T. DeKok [Sun, 16 Oct 2011 02:13:17 +0000 (04:13 +0200)]
Whitespace && formatting
Arran Cudbard-Bell [Wed, 12 Oct 2011 14:24:28 +0000 (16:24 +0200)]
Assert should be false
Arran Cudbard-Bell [Tue, 11 Oct 2011 20:14:54 +0000 (22:14 +0200)]
Add even more logging, and use unambigous tense for existing messages
Arran Cudbard-Bell [Tue, 11 Oct 2011 15:37:26 +0000 (17:37 +0200)]
Only attempt to closed connections which are unused
Arran Cudbard-Bell [Tue, 11 Oct 2011 15:18:58 +0000 (17:18 +0200)]
Should return connection, not connection struct
Arran Cudbard-Bell [Tue, 11 Oct 2011 15:18:13 +0000 (17:18 +0200)]
Add log messages on connection reservation and release
Arran Cudbard-Bell [Tue, 11 Oct 2011 13:50:13 +0000 (15:50 +0200)]
Ignore libltdl makefile
Arran Cudbard-Bell [Tue, 11 Oct 2011 13:47:13 +0000 (06:47 -0700)]
Merge pull request #22 from arr2036/connection_api
Add additional logging to connection pool api
Arran Cudbard-Bell [Mon, 10 Oct 2011 19:39:02 +0000 (21:39 +0200)]
Add additional logging to connection pool api
Arran Cudbard-Bell [Tue, 11 Oct 2011 11:55:34 +0000 (13:55 +0200)]
Set last_used on spawn, else all connections are closed on the first get_connection call
Add counter, and give each connection a unique connection id
Arran Cudbard-Bell [Mon, 10 Oct 2011 22:17:37 +0000 (00:17 +0200)]
Need to check if the max_uses/lifetime/idle_timeout values > 0 (enabled) before enforcing them...
Alan T. DeKok [Mon, 10 Oct 2011 18:16:01 +0000 (20:16 +0200)]
Fixes to make FR use the local libltld
This helps to avoid stupid libtool issues
Alan T. DeKok [Mon, 10 Oct 2011 15:37:18 +0000 (17:37 +0200)]
More information in debug messages
Alan T. DeKok [Sun, 9 Oct 2011 16:15:00 +0000 (18:15 +0200)]
Use parent rather than cs if cs doesn't exist
Alan T. DeKok [Sun, 9 Oct 2011 11:59:34 +0000 (13:59 +0200)]
TLS private key password isn't required
Alan T. DeKok [Sat, 8 Oct 2011 07:15:01 +0000 (09:15 +0200)]
Clean up build to be less verbose
Rather than printing out 10+ lines of text for every C file that
is compiled, it now prints out one: "CC foo.c"
While this can hide some key information from the developer, it
also highlights compiler warnings.
We can later go through and add a developer-specific option
to turn on the old behavior. Probably by suppressing the "--quiet"
option to libtool
Alan T. DeKok [Fri, 7 Oct 2011 22:14:02 +0000 (00:14 +0200)]
Fix typo
compare type to RAD_LISTEN_DETAIL
Arran Cudbard-Bell [Fri, 7 Oct 2011 09:45:12 +0000 (11:45 +0200)]
Add a Message-Authenticator attribute to the response, if we added EAP-Message
Alan T. DeKok [Tue, 4 Oct 2011 14:20:42 +0000 (16:20 +0200)]
Added simple module to "clean" the request of non-UTF-8 data
Arran Cudbard-Bell [Mon, 3 Oct 2011 11:34:50 +0000 (04:34 -0700)]
Merge pull request #21 from alagoutte/master
Update RADIUS Dictionary Aruba
Alexis La Goutte [Mon, 3 Oct 2011 11:22:00 +0000 (13:22 +0200)]
Update RADIUS Dictionary Aruba
Peter Lemenkov [Fri, 30 Sep 2011 11:48:58 +0000 (15:48 +0400)]
Drop dead link
Signed-off-by: Peter Lemenkov <lemenkov@gmail.com>
Peter Lemenkov [Fri, 30 Sep 2011 11:48:10 +0000 (15:48 +0400)]
Now it's possible to include Zyxel's dictionary by default
Signed-off-by: Peter Lemenkov <lemenkov@gmail.com>
Peter Lemenkov [Fri, 30 Sep 2011 11:44:29 +0000 (15:44 +0400)]
Another one attribute
Signed-off-by: Peter Lemenkov <lemenkov@gmail.com>
Peter Lemenkov [Fri, 30 Sep 2011 11:44:02 +0000 (15:44 +0400)]
Proper VENDOR value for Zyxel
Signed-off-by: Peter Lemenkov <lemenkov@gmail.com>
Alan T. DeKok [Fri, 30 Sep 2011 11:22:23 +0000 (13:22 +0200)]
ECONNRESET and EWOULDBLOCK aren't portable
Wrap them in ifdef's
Alan T. DeKok [Thu, 29 Sep 2011 16:03:23 +0000 (18:03 +0200)]
Load "server {...}" sections properly
Alan T. DeKok [Thu, 29 Sep 2011 09:26:03 +0000 (11:26 +0200)]
Be more graceful if caller passes us a NULL ptr
Alan T. DeKok [Wed, 28 Sep 2011 11:15:46 +0000 (13:15 +0200)]
Distinguish virtual servers from physical ones
Alan T. DeKok [Wed, 28 Sep 2011 11:15:31 +0000 (13:15 +0200)]
Updated debug message
Arran Cudbard-Bell [Mon, 26 Sep 2011 20:01:04 +0000 (22:01 +0200)]
Add EAP-Failure if EAP is called in Post-Auth REJECT and no EAP-Message has been inserted
Alan T. DeKok [Fri, 23 Sep 2011 07:45:55 +0000 (09:45 +0200)]
Fix typo (arg)
Alan T. DeKok [Fri, 23 Sep 2011 07:32:59 +0000 (09:32 +0200)]
More checks for -C, to not open sockets
Alan T. DeKok [Thu, 22 Sep 2011 16:43:11 +0000 (18:43 +0200)]
Don't really open sockets if we're doing -C
Alan T. DeKok [Thu, 22 Sep 2011 13:53:51 +0000 (15:53 +0200)]
Acct-Session-Id from Cisco exceeds 64 bytes. Extend it.
Add radpostauth/radhuntgroup tables to the oracle schema
Alan T. DeKok [Thu, 22 Sep 2011 13:53:13 +0000 (15:53 +0200)]
Added missing post-auth configuration
John Dennis [Tue, 20 Sep 2011 21:56:22 +0000 (17:56 -0400)]
Always send Message-Authenticator in radtest
Originally Message-Authenticator was introduced to provide message
integrity for EAP messages and originally the Message-Authenticator
attribute was only required for EAP messages.
But then RFC 5080 came along and suggested Message-Authenticator
always be sent as best practice.
Any Access-Request packet that performs authorization checks,
including Call Check, SHOULD contain a Message-Authenticator
attribute.
RFC 5080 then goes on to say:
... server implementations may be configured to require the
presence of a Message-Authenticator attribute in Access-Request
packets. Requests not containing a Message-Authenticator attribute
MAY then be silently discarded.
The raddb/clients.conf has this configuration option to satisfy the
above suggestion in RFC 5080:
require_message_authenticator = no|yes
If require_message_authenticator == yes then non-EAP auth-requests
generated by radtest will fail because currently radtest only supplies
the Message-Authenticator if EAP is being performed. With modern
Radius servers (e.g. FreeRADIUS) there is no harm in providing the
Message-Authenticator attribute for non-EAP packets, in fact it's
actually recommended in RFC 5080.
Therefore radtest should ALWAYS send the Message-Authenticator
attribute. If it's EAP or if the server is configured with
require_message_authenticator it must be present. If those conditions
do not hold it's benign. However if require_message_authenticator is
configured radtest will fail for non-EAP.
Alan T. DeKok [Tue, 20 Sep 2011 17:56:02 +0000 (19:56 +0200)]
As posted to the list
Alan T. DeKok [Tue, 20 Sep 2011 08:31:05 +0000 (10:31 +0200)]
Ensure src_ipaddr is initialized when finding a home server
Fix left over from
12d87590f7b03f315f14d9b905ed550ddceccf7c
Alan T. DeKok [Tue, 20 Sep 2011 07:25:51 +0000 (09:25 +0200)]
Fixed typo
Alan T. DeKok [Mon, 19 Sep 2011 17:45:35 +0000 (19:45 +0200)]
Add missing "man" files
Alan DeKok [Mon, 19 Sep 2011 12:08:57 +0000 (05:08 -0700)]
Merge pull request #18 from bmork/radsniff-decode
radsniff: decoding encrypted attributes
Dmitry Borodaenko [Sat, 6 Aug 2011 17:15:59 +0000 (20:15 +0300)]
Fix rlm_sql noop for accounting start
When 6ed9727 was merged, else{} in the START case got placed against the
wrong if(). Unlike STOP and ALIVE cases, in START insert comes first,
and we only care if that affects 0 rows. If insert fails and we have to
go for an update, we don't have to check for NOOP because we can assume
the insert failed due to a conflicting row already in the database.
Alan T. DeKok [Sun, 18 Sep 2011 11:23:35 +0000 (13:23 +0200)]
Revert "Remove values for Auth-Type, these values were only defined for legacy reasons"
This reverts commit
296fcf9576394de5bf943e257a8d64751feaf636.
Removing Auth-Type = {Accept, Reject, MS-CHAP} breaks the server
John Dennis [Sun, 18 Sep 2011 07:17:45 +0000 (09:17 +0200)]
Document all command line args & add missing man pages
Go through every installed command and verify:
* There exists a man page for the command, if not create one
* For every command line arg in each command:
- Assure the arg appears in the synopis section of the man page
- Assure the arg is documented in the options section of the man page
- Assure the arg is documented in the "usage" emitted by the command
In addition to the above this patch also does:
* Clean up captitalization & the use of terminating periods.
* Removed superfluous unused l option from the getopt format string
of radwho
* Remove rlm_ippool_tool.pod, superseded by rlm_ippool_tool.8 man page
The follow new man pages were added:
man/man1/smbencrypt.1
man/man5/checkrad.5
man/man8/radconf2xml.8
man/man8/radcrypt.8
man/man8/radsniff.8
src/modules/rlm_dbm/rlm_dbm_cat.8
src/modules/rlm_dbm//rlm_dbm_parse.8
src/modules/rlm_ippool/rlm_ippool_tool.8
Arran Cudbard-Bell [Sun, 18 Sep 2011 05:50:29 +0000 (13:50 +0800)]
Use our instead of the old vars pragma, and turn on warnings
Bjørn Mork [Fri, 16 Sep 2011 17:50:07 +0000 (19:50 +0200)]
radsniff: decoding encrypted attributes
Save authentication requests and use them to properly decode
entrypted attributes in matching replies.
Also decode encrypted attributes in CoA requests. Some VSAs
can be encrypted in CoA requests using a null vector.
Signed-off-by: Bjørn Mork <bjorn@mork.no>
Alan T. DeKok [Wed, 14 Sep 2011 10:11:07 +0000 (12:11 +0200)]
Note which Auth-Type we're creating
Alan T. DeKok [Wed, 14 Sep 2011 15:33:46 +0000 (17:33 +0200)]
Made more coherent
Alan T. DeKok [Wed, 14 Sep 2011 09:57:04 +0000 (11:57 +0200)]
Make warning message more coherent
Alan T. DeKok [Wed, 14 Sep 2011 09:56:24 +0000 (11:56 +0200)]
WARNING on potential proxy loop
Alan T. DeKok [Mon, 12 Sep 2011 21:41:23 +0000 (23:41 +0200)]
Fixed long-standing typos
I guess no one ever used this...
Arran Cudbard-Bell [Mon, 12 Sep 2011 14:04:28 +0000 (16:04 +0200)]
Remove values for Auth-Type, these values were only defined for legacy reasons
Alan T. DeKok [Sat, 10 Sep 2011 18:32:08 +0000 (20:32 +0200)]
Fixed typo in huntgroup name addition
Alan T. DeKok [Sat, 10 Sep 2011 18:12:01 +0000 (20:12 +0200)]
Document max_queue_size
Alan T. DeKok [Sat, 10 Sep 2011 18:27:58 +0000 (20:27 +0200)]
Twigged blocked messages && logic
Alan T. DeKok [Sat, 10 Sep 2011 17:33:37 +0000 (19:33 +0200)]
No one uses this
Alan T. DeKok [Wed, 7 Sep 2011 15:34:49 +0000 (17:34 +0200)]
Fixed typo