Matthew Newton [Wed, 16 Apr 2014 13:22:03 +0000 (14:22 +0100)]
update copyright year
Matthew Newton [Wed, 16 Apr 2014 13:00:50 +0000 (14:00 +0100)]
force debian pkg to use patched openssl, and disable version check
Matthew Newton [Wed, 16 Apr 2014 10:35:22 +0000 (11:35 +0100)]
refresh debian patch
Matthew Newton [Wed, 16 Apr 2014 11:01:26 +0000 (12:01 +0100)]
debian pkg: tidy up statoverride on purge
Alan T. DeKok [Tue, 15 Apr 2014 19:47:41 +0000 (15:47 -0400)]
Update unlang for attribute references
Alan T. DeKok [Tue, 15 Apr 2014 19:30:46 +0000 (15:30 -0400)]
note recent changes
Alan T. DeKok [Tue, 15 Apr 2014 19:29:21 +0000 (15:29 -0400)]
Allow array references on the LHS of attr/attr maps.
Made radius_map2request() no longer use radius_pairmove()
which makes this code more complicated, but should make
the server slightly faster. Adding array references to
radius_pairmove() is just a non-starter.
Alan T. DeKok [Mon, 14 Apr 2014 21:15:56 +0000 (17:15 -0400)]
If the tags are equal, go check the values
Arran Cudbard-Bell [Mon, 14 Apr 2014 23:47:23 +0000 (19:47 -0400)]
Fix warning on Linux with GDB
Alan T. DeKok [Mon, 14 Apr 2014 20:01:48 +0000 (16:01 -0400)]
Revert "Forbid self to self maps"
This reverts commit
9b4b44e8e071c0cbaad25de8156c175ee7aa674b.
Apparently it's needed for the cache module. We'll have a
better fix later
Alan T. DeKok [Mon, 14 Apr 2014 19:16:26 +0000 (15:16 -0400)]
Update logfile API.
We need to close the FP in rlm_detail. Which means that the
locks on the FD will be closed. And we don't want to close
the main FD. So we add a new API to unlock the mutex without
closing the FD. And we always return a DUP'd FD to the caller,
instead of the main one.
Fixes a whack of Coverity complaints
Alan T. DeKok [Mon, 14 Apr 2014 19:07:18 +0000 (15:07 -0400)]
Minor fixes to make Coverity happy.
The logfile API is a bit weird with respect to mutexes. It's
intended reply with mutexes held
Alan T. DeKok [Mon, 14 Apr 2014 19:01:36 +0000 (15:01 -0400)]
Forbid self to self maps
Arran Cudbard-Bell [Mon, 14 Apr 2014 18:13:33 +0000 (14:13 -0400)]
Remove hex2bin, the xlat code would require significant reworking for this to be safe
Alan T. DeKok [Mon, 14 Apr 2014 17:31:41 +0000 (13:31 -0400)]
More sanity checks and messages for list assignment.
list := `...` is now a warning. This is because the assignment
makes it look like it over-writes the list. It doesn't. We now
require
list = `...` which is clearer that the operators used are the
ones which are returned from the external program.
Alan T. DeKok [Mon, 14 Apr 2014 16:15:52 +0000 (12:15 -0400)]
Distinguish failure cases
Alan T. DeKok [Mon, 14 Apr 2014 16:09:59 +0000 (12:09 -0400)]
Set the stack to zero to simplify gdb output
Alan T. DeKok [Mon, 14 Apr 2014 16:06:59 +0000 (12:06 -0400)]
Verify VPs we're printing
Alan T. DeKok [Mon, 14 Apr 2014 15:48:02 +0000 (11:48 -0400)]
Correctly set fields when compiling literal string
when we have an ATTR on the LHS, and a LITERAL on the RHS,
we need to set the RHS to be VPT_TYPE_DATA, not the LHS
and there are other fields we need to set, too
Alan T. DeKok [Mon, 14 Apr 2014 14:46:53 +0000 (10:46 -0400)]
Clean up syntax for list to list assignments
list !* ANY remove all attributes in the list
list := list2 delete list, copy list2, and assign the copy to list
list += list2 copy list2, and append the copy to list
list := `foo` read attrs from program, and assign to list
list += `foo` read attrs from program, and append to list
Alan T. DeKok [Mon, 14 Apr 2014 14:27:44 +0000 (10:27 -0400)]
Don't core if vpt->vpd is NULL
Alan T. DeKok [Mon, 14 Apr 2014 03:20:41 +0000 (23:20 -0400)]
In radius_map2vp(), always expand XLAT structures.
Looking for a % in the map name is pointless. If the vpt is
marked as xlat, it's xlat. The parser should take care of
ensuring that strings without % are created as literals
Alan T. DeKok [Mon, 14 Apr 2014 03:20:21 +0000 (23:20 -0400)]
re-add xlat_spaces for debugging
Alan T. DeKok [Mon, 14 Apr 2014 03:13:38 +0000 (23:13 -0400)]
Make radius_map2vp() call radius_vpt_get_vp() for map->src
So that we can have array references on the RHS of update
statements. And tags on the RHS, too
Alan T. DeKok [Mon, 14 Apr 2014 03:13:30 +0000 (23:13 -0400)]
LF at EOL
Alan T. DeKok [Mon, 14 Apr 2014 02:53:08 +0000 (22:53 -0400)]
Move debug print map functionality to its own function
And as a side effect, always properly reparent the VP...
Alan T. DeKok [Mon, 14 Apr 2014 02:39:58 +0000 (22:39 -0400)]
Use radius_list_ctx() rather than re-implementing it
Alan T. DeKok [Mon, 14 Apr 2014 02:33:55 +0000 (22:33 -0400)]
allow radius_vpt_get_vp() to use array references
Alan T. DeKok [Sun, 13 Apr 2014 23:59:02 +0000 (19:59 -0400)]
Add tags and array references to value_pair_tmpl_t
radius_parse_attr() parses them
radius_tmpl2str() prints them
condition.txt tests them
radius_vpt_get_vp() uses tag now, but not array ref
No other code has been updated. e.g. evaluate, etc.
Alan T. DeKok [Sun, 13 Apr 2014 22:23:00 +0000 (18:23 -0400)]
Add function to look up "name:0" or "name[1]" or "name:0[1]"
Because it's easier and faster to do it here, than to force
all of the callers to manually massage the dictionary names
Alan T. DeKok [Sun, 13 Apr 2014 16:13:45 +0000 (12:13 -0400)]
radius_parse_attr() doesn't deal with tags or array references
Alan T. DeKok [Sun, 13 Apr 2014 16:13:24 +0000 (12:13 -0400)]
Make str2tmpl call radius_parse_attr()
So we don't have 2 pieces of code doing the same thing.
Herwin Weststrate [Mon, 14 Apr 2014 14:03:53 +0000 (16:03 +0200)]
Small update to docs/concepts/proxy.rst
Some file locations are updated in more recent versions of FreeRADIUS.
Alan T. DeKok [Sun, 13 Apr 2014 01:26:59 +0000 (21:26 -0400)]
Use correct talloc ctx for VPs
Alan T. DeKok [Sun, 13 Apr 2014 01:25:59 +0000 (21:25 -0400)]
Add function to return TALLOC_CTX from pair_lists_t
Alan T. DeKok [Sat, 12 Apr 2014 15:29:53 +0000 (11:29 -0400)]
Allocate from the local map ctx
Alan T. DeKok [Sat, 12 Apr 2014 15:28:59 +0000 (11:28 -0400)]
Use packet for VP context
Alan T. DeKok [Fri, 11 Apr 2014 21:34:40 +0000 (17:34 -0400)]
Tests for new compilation
Alan T. DeKok [Fri, 11 Apr 2014 20:58:32 +0000 (16:58 -0400)]
Distinguish failure modes
Alan T. DeKok [Fri, 11 Apr 2014 19:38:03 +0000 (15:38 -0400)]
Convert "%{Attribute-Name}" to just &Attribute-Name
which should speed things up slightly at run time.
Arran Cudbard-Bell [Thu, 10 Apr 2014 12:17:59 +0000 (13:17 +0100)]
Formatting
Alan T. DeKok [Fri, 11 Apr 2014 19:05:31 +0000 (15:05 -0400)]
note recent changes
Alan T. DeKok [Fri, 11 Apr 2014 18:58:45 +0000 (14:58 -0400)]
Run Post-Proxy-Type fail on no reply. Fixes #576
Alan T. DeKok [Fri, 11 Apr 2014 18:50:47 +0000 (14:50 -0400)]
Complain about blocked only on the first pass through the queue
Alan T. DeKok [Fri, 11 Apr 2014 18:19:22 +0000 (14:19 -0400)]
Allow DHCP NAKs to be delayed
via response:FreeRADIUS-Response-Delay
Alan T. DeKok [Fri, 11 Apr 2014 15:49:25 +0000 (11:49 -0400)]
Cast to const
Alan T. DeKok [Fri, 11 Apr 2014 15:48:45 +0000 (11:48 -0400)]
"i" is needed only if we have threads
Alan T. DeKok [Fri, 11 Apr 2014 15:39:41 +0000 (11:39 -0400)]
Note recent changes
Alan T. DeKok [Fri, 11 Apr 2014 15:35:32 +0000 (11:35 -0400)]
Manually merge rlm_counter from master.
Includes fixes for VSAs as counters
Alan T. DeKok [Fri, 11 Apr 2014 15:19:25 +0000 (11:19 -0400)]
remove unneeded FIXME
Alan T. DeKok [Fri, 11 Apr 2014 15:16:49 +0000 (11:16 -0400)]
Fix calls to radius_paircreate()
It now takes a CTX rather than a REQUEST. And all callers
use the correct context.
Alan T. DeKok [Fri, 11 Apr 2014 15:08:17 +0000 (11:08 -0400)]
Revert "Create reply attributes parented from the reply"
The changes required are more extensive.
This reverts commit
4d9b7afbd9c5bf14fb4166a58ef5e46c67f7da7b.
Alan T. DeKok [Fri, 11 Apr 2014 15:05:08 +0000 (11:05 -0400)]
Use talloc_free. Fixes #582
Alan T. DeKok [Fri, 11 Apr 2014 15:03:47 +0000 (11:03 -0400)]
Remove unused argument
Alan T. DeKok [Fri, 11 Apr 2014 14:59:32 +0000 (10:59 -0400)]
use the correct name
Alan T. DeKok [Fri, 11 Apr 2014 14:56:47 +0000 (10:56 -0400)]
Added hextobin xlat.
It's useful for creating binary nonsense
Alan T. DeKok [Fri, 11 Apr 2014 14:56:17 +0000 (10:56 -0400)]
Sanitize return codes. "do nothing" is NOOP
Alan T. DeKok [Fri, 11 Apr 2014 14:55:51 +0000 (10:55 -0400)]
Make response delay more generic.
For now, it only applies to Access-Reject packets
Alan T. DeKok [Fri, 11 Apr 2014 14:45:02 +0000 (10:45 -0400)]
Hold main lock for less time
When we open a file, we grab the mutex for that file, rather than
continuing to hold the main mutex during the open() operation
Alan T. DeKok [Thu, 10 Apr 2014 18:14:29 +0000 (14:14 -0400)]
Lock from the start of the file.
Alan T. DeKok [Thu, 10 Apr 2014 18:04:05 +0000 (14:04 -0400)]
Check lock for error
Alan T. DeKok [Thu, 10 Apr 2014 18:01:49 +0000 (14:01 -0400)]
Use the new logfile API
Alan T. DeKok [Thu, 10 Apr 2014 18:00:05 +0000 (14:00 -0400)]
re-open the file if someone has deleted it
i.e. while we waited for the lock, or while we were doing
something else.
Alan T. DeKok [Thu, 10 Apr 2014 17:45:16 +0000 (13:45 -0400)]
Use mode_t, and create any necessary directories
Alan T. DeKok [Thu, 10 Apr 2014 16:17:17 +0000 (12:17 -0400)]
Use the new logfile API
Alan T. DeKok [Thu, 10 Apr 2014 16:17:06 +0000 (12:17 -0400)]
Use the new logfile API
Alan T. DeKok [Thu, 10 Apr 2014 16:07:27 +0000 (12:07 -0400)]
Added logging API
So that multiple threads can log to files with (a) no thread
race conditions, and (b) file locks for external processes.
We do this by opening a file descriptor for each file, and leaving
it open for a long time. When a thread needs to log to a file,
it passes the filename to the API, and gets an FD in return.
That FD is then left open, for re-use by other threads.
The FD is also protected by a mutex, so that other threads which
try to log to the same file have to wait until the current one
is finished.
This nonsense is required because the POSIX file lock API is
per process, so that locks in one thread don't block other threads.
The POSIX API also releases *all* locks on a file when ANY FD for
that file. So the threads can't rely on just file locks to prevent
readers from reading the wrong thing. They have to have ONE FD
for all threads.
Since the FD is never closed, the locks on it always apply.
Since the FD is protected by a mutex, only one thread at a time
can write to the file.
And peace reigns in the land.
Alan T. DeKok [Thu, 10 Apr 2014 13:24:18 +0000 (09:24 -0400)]
Log files are 0640, not 0666. WTF?
Alan T. DeKok [Thu, 10 Apr 2014 02:53:10 +0000 (22:53 -0400)]
Allow unset auth_type to mean local
Arran Cudbard-Bell [Thu, 10 Apr 2014 07:11:00 +0000 (08:11 +0100)]
Free cast before checking for error
Arran Cudbard-Bell [Thu, 10 Apr 2014 07:09:22 +0000 (08:09 +0100)]
Check for truncation in more places
Arran Cudbard-Bell [Thu, 10 Apr 2014 06:35:14 +0000 (07:35 +0100)]
Really not a typo
Alan T. DeKok [Thu, 10 Apr 2014 02:19:57 +0000 (22:19 -0400)]
Quotations around strings look nicer
Alan T. DeKok [Thu, 10 Apr 2014 02:18:43 +0000 (22:18 -0400)]
Handle embedded NULs in strings for xlat. Fixes #571
Alan T. DeKok [Wed, 9 Apr 2014 20:20:51 +0000 (16:20 -0400)]
Note recent changes
Alan T. DeKok [Wed, 9 Apr 2014 20:14:57 +0000 (16:14 -0400)]
Double-check the data length. CID #1198852
Which will never happen in reality, because the called functions
never return more than the size of the output buffer
Arran Cudbard-Bell [Wed, 9 Apr 2014 20:29:42 +0000 (21:29 +0100)]
Always set type correctly
Arran Cudbard-Bell [Wed, 9 Apr 2014 19:48:00 +0000 (20:48 +0100)]
Coverity #1198850 #1198851 #1198852
Arran Cudbard-Bell [Wed, 9 Apr 2014 19:39:52 +0000 (20:39 +0100)]
CID #1198853 *sigh*
Alan T. DeKok [Wed, 9 Apr 2014 15:57:02 +0000 (11:57 -0400)]
For travis tests, allow vulnerable versions of OpenSSL.
Strictly for testing
Alan T. DeKok [Wed, 9 Apr 2014 15:33:09 +0000 (11:33 -0400)]
Use correct talloc type
Alan T. DeKok [Wed, 9 Apr 2014 15:32:54 +0000 (11:32 -0400)]
Use correct talloc type
Alan T. DeKok [Wed, 9 Apr 2014 15:23:33 +0000 (11:23 -0400)]
Create reply attributes parented from the reply
Alan T. DeKok [Wed, 9 Apr 2014 15:23:21 +0000 (11:23 -0400)]
Use RDEBUG instead of DEBUG
Alan T. DeKok [Wed, 9 Apr 2014 15:02:43 +0000 (11:02 -0400)]
Check for invalid TLS handshake
If the system has a vulnerable version of OpenSSL, and the
admin has told us to allow it, we want to catch and stop
the problem.
Alan T. DeKok [Wed, 9 Apr 2014 14:47:42 +0000 (10:47 -0400)]
If we fail during tls handshake, don't send an EAP-Fail msg
Because tls_handshake_recv() says there's something wrong with
the TLS session. Therefore, we can't use it for anything
Arran Cudbard-Bell [Wed, 9 Apr 2014 15:32:35 +0000 (16:32 +0100)]
Add request number
Arran Cudbard-Bell [Wed, 9 Apr 2014 10:18:50 +0000 (11:18 +0100)]
Extra paranoia. Check panic_action both on startup, and when we attempt to execute it.
Arran Cudbard-Bell [Wed, 9 Apr 2014 10:06:20 +0000 (11:06 +0100)]
Add warning on pattach
Arran Cudbard-Bell [Tue, 8 Apr 2014 21:44:48 +0000 (22:44 +0100)]
Tweak visual grouping to make ssl version easier to read
Arran Cudbard-Bell [Tue, 8 Apr 2014 21:35:26 +0000 (22:35 +0100)]
Don't be lazy when printing openssl version numbers
Arran Cudbard-Bell [Tue, 8 Apr 2014 20:59:44 +0000 (21:59 +0100)]
A simple framework to deal with future security issues in libssl
Alan T. DeKok [Tue, 8 Apr 2014 21:13:33 +0000 (17:13 -0400)]
Revert "Use correct URL"
This reverts commit
8146612b7849e785bc2039a6ce15395027ec2161.
Alan T. DeKok [Tue, 8 Apr 2014 20:26:19 +0000 (16:26 -0400)]
Use correct URL
Alan T. DeKok [Tue, 8 Apr 2014 20:04:48 +0000 (16:04 -0400)]
Don't replicate reply packets.
The code never handled it, so it's safe to delete the functions
Alan T. DeKok [Tue, 8 Apr 2014 19:14:09 +0000 (15:14 -0400)]
The input packet can't be an Access-Challenge
Alan T. DeKok [Tue, 8 Apr 2014 18:57:13 +0000 (14:57 -0400)]
Remove "auto_header" functionality. It's not used anywhere.
Alan T. DeKok [Tue, 8 Apr 2014 18:49:09 +0000 (14:49 -0400)]
Note recent changes
Alan T. DeKok [Tue, 8 Apr 2014 18:45:42 +0000 (14:45 -0400)]
Removed conf2xml and conf2file functionality.
No one uses it, and we shouldn't carry around legacy code
Alan T. DeKok [Tue, 8 Apr 2014 18:40:59 +0000 (14:40 -0400)]
Remove unused functions