Kevin Wasserman [Sun, 7 Sep 2014 15:11:18 +0000 (11:11 -0400)]
Merge branch 'v3.0.x' into tr-integ
Conflicts:
raddb/mods-available/abfab_psk_sql
raddb/policy.d/abfab-tr
raddb/sites-available/abfab-tls
raddb/sites-available/abfab-tr-idp
raddb/sites-available/channel_bindings
share/dictionary.ukerna
src/modules/rlm_realm/all.mk
Kevin Wasserman [Sun, 7 Sep 2014 08:46:40 +0000 (04:46 -0400)]
Only tr_init() once
Alan T. DeKok [Sat, 6 Sep 2014 19:21:02 +0000 (15:21 -0400)]
Let's build it, shall we?
Alan T. DeKok [Sat, 6 Sep 2014 19:20:53 +0000 (15:20 -0400)]
Missed in last commit
Alan T. DeKok [Sat, 6 Sep 2014 19:17:02 +0000 (15:17 -0400)]
Module for PSK authorizations from ABFAB trust router
Alan T. DeKok [Sat, 6 Sep 2014 19:15:29 +0000 (15:15 -0400)]
Updates and move some moonshot to Trust-Router
Alan T. DeKok [Sat, 6 Sep 2014 19:12:02 +0000 (15:12 -0400)]
Virtual server for GSS-EAP (RFC 7055)
Include a virtual server for clients that use GSS-EAP (RFC 7055). This
server works both for proxies and for home servers that actually
perform authentication.
Alan T. DeKok [Sat, 6 Sep 2014 19:06:24 +0000 (15:06 -0400)]
Add ABFAB sample policy
* pre-proxy policy to enforce constraints that section 3.5 of RFC 7055
say should be enforced near NAS
* authorize section to enforce policies enforced near home server according to RFC 7055 3.5
* Channel bindings policy to enforce ABFAB channel bindings
Alan T. DeKok [Sat, 6 Sep 2014 18:59:00 +0000 (14:59 -0400)]
Add Moonshot-COI and Moonshot-APC attributes
Alan T. DeKok [Sat, 6 Sep 2014 18:58:14 +0000 (14:58 -0400)]
Reject on any channel bindings attribute mismatch
ABFAB (RFC 7055) is a new deployment. In this case, it makes sense to
be very strict about channel bindings checks, because we have high
confidence that anyone supplying ABFAb channel bindings will supply
accurate info.
Other uses of channel bindings may require more liberal policies.
Alan T. DeKok [Sat, 6 Sep 2014 18:54:10 +0000 (14:54 -0400)]
Fix typo
Alan T. DeKok [Sat, 6 Sep 2014 18:53:40 +0000 (14:53 -0400)]
Added configure checks for trust router code
Alan T. DeKok [Sat, 6 Sep 2014 13:29:05 +0000 (09:29 -0400)]
Delete detaching message. It's annoying
Arran Cudbard-Bell [Sat, 6 Sep 2014 11:25:42 +0000 (07:25 -0400)]
Can't build without regexes on Travis because it causes the tests to fail
Arran Cudbard-Bell [Fri, 5 Sep 2014 23:02:26 +0000 (19:02 -0400)]
Fix building without regex support
Arran Cudbard-Bell [Fri, 5 Sep 2014 23:01:52 +0000 (19:01 -0400)]
Don't leak expanded lhs/rhs in do_regex
Arran Cudbard-Bell [Fri, 5 Sep 2014 18:52:34 +0000 (14:52 -0400)]
Fix PCRE checks on FreeBSD
Use FR_SMART_CHECK_LIB so we pick up the PCRE libraries on FreeBSD (they're in /usr/local/lib)
Pass pcre_lib_dir to FR_SMART_CHECK_LIB, so the user defined libpcre ./configure argument isn't ignored
Correct use of macros in the code, so we actually *use* the result of the -lpcre check
Remove unused variables and substitutions
Add output for extended regular expressions check
Philippe Wooding [Fri, 5 Sep 2014 14:58:11 +0000 (16:58 +0200)]
Add dependency on version of openssl with heartbleed fix based on distribution (debian or Ubuntu) and remove vulnerable openssl check at startup.
Alan T. DeKok [Fri, 5 Sep 2014 14:58:27 +0000 (10:58 -0400)]
Handle replies from virtual servers, too
Alan T. DeKok [Fri, 5 Sep 2014 14:43:11 +0000 (10:43 -0400)]
Don't walk over VPs in normal mode.
Debug code should only run when debugging is enabled
Alan T. DeKok [Fri, 5 Sep 2014 13:39:17 +0000 (09:39 -0400)]
map->dst->tmpl_da can be NULL if it's not TMPL_TYPE_ATTR
Alan T. DeKok [Fri, 5 Sep 2014 13:31:33 +0000 (09:31 -0400)]
Asserts to quiet scan
Alan T. DeKok [Thu, 4 Sep 2014 23:22:04 +0000 (19:22 -0400)]
Fix scan for SRC_INCDIRS, too
Alan T. DeKok [Thu, 4 Sep 2014 15:58:00 +0000 (11:58 -0400)]
Signed / unsigned changes for printing
Arran Cudbard-Bell [Thu, 4 Sep 2014 18:33:23 +0000 (14:33 -0400)]
Merge pull request #777 from matsimon/f5-dictionary
F5 dictionary
Kevin Wasserman [Thu, 4 Sep 2014 17:59:56 +0000 (13:59 -0400)]
Merge remote-tracking branch 'freeradius/v3.0.x' into tr-integ
Conflicts:
raddb/sites-available/channel_bindings
share/dictionary.ukerna
src/include/tls-h
src/main/realms.c
src/modules/rlm_realm/all.mk
src/modules/rlm_realm/rlm_realm.c
Alan T. DeKok [Thu, 4 Sep 2014 15:53:30 +0000 (11:53 -0400)]
Move addprefix for SRC_INCDIRS.
It was adding -I 3 time ???
Alan T. DeKok [Thu, 4 Sep 2014 14:10:27 +0000 (10:10 -0400)]
Add rules for cppcheck
$ CPPCHECK=yes make
will produce more warnings. For now, we suppress variable scope
complaints.
Alan T. DeKok [Thu, 4 Sep 2014 14:01:56 +0000 (10:01 -0400)]
Use "handshake_finished" instead of "finished"
To avoid polluting the global namespace with an enum
Alan T. DeKok [Thu, 4 Sep 2014 13:59:45 +0000 (09:59 -0400)]
Don't conflict with enum
Alan T. DeKok [Thu, 4 Sep 2014 13:57:00 +0000 (09:57 -0400)]
Check limit on 'i' before dereferencing it
Alan T. DeKok [Thu, 4 Sep 2014 13:54:51 +0000 (09:54 -0400)]
Zero is false. found by cppcheck
Alan T. DeKok [Thu, 4 Sep 2014 13:45:47 +0000 (09:45 -0400)]
remove space after -I
Alan T. DeKok [Thu, 4 Sep 2014 13:35:05 +0000 (09:35 -0400)]
Remove spaces after -D
Alan T. DeKok [Wed, 3 Sep 2014 20:24:30 +0000 (16:24 -0400)]
Add realm_pool_free() which garbage collects the pools.
So that the server doesn't crash
Alan T. DeKok [Wed, 3 Sep 2014 20:05:02 +0000 (16:05 -0400)]
Preliminary support for trust router code
Alan T. DeKok [Wed, 3 Sep 2014 19:06:35 +0000 (15:06 -0400)]
Expose tls_init_ctx()
Alan T. DeKok [Wed, 3 Sep 2014 18:07:03 +0000 (14:07 -0400)]
Build without getgrnam_r()
Alan T. DeKok [Wed, 3 Sep 2014 15:09:30 +0000 (11:09 -0400)]
This branch is now 3.0.5
Alan T. DeKok [Wed, 3 Sep 2014 15:08:40 +0000 (11:08 -0400)]
Update specs for v3.0.4
Alan T. DeKok [Wed, 3 Sep 2014 15:04:19 +0000 (11:04 -0400)]
Auto-discover current branch
Alan T. DeKok [Wed, 3 Sep 2014 15:01:28 +0000 (11:01 -0400)]
Free output bio, too
Alan T. DeKok [Wed, 3 Sep 2014 14:56:15 +0000 (10:56 -0400)]
Print debug messages only in debug mode. Closes #779
Herwin Weststrate [Wed, 3 Sep 2014 13:21:01 +0000 (15:21 +0200)]
Fixed quoting for mac-addr-regexp
Otherwise, a "Parse error: Unterminated string" is thrown
Arran Cudbard-Bell [Mon, 1 Sep 2014 15:50:32 +0000 (22:50 +0700)]
Update mac canonicalization policy
Alan T. DeKok [Tue, 2 Sep 2014 21:41:51 +0000 (17:41 -0400)]
Added checks for libpcre
Alan T. DeKok [Tue, 2 Sep 2014 21:15:48 +0000 (17:15 -0400)]
Allow SQL to add clients to virtual servers
Alan T. DeKok [Tue, 2 Sep 2014 18:17:18 +0000 (14:17 -0400)]
Fix use of talloc buffers
Alan T. DeKok [Tue, 2 Sep 2014 16:05:45 +0000 (12:05 -0400)]
Use ralloc'd memory for getgrnam_r(). Closes #776
Alan T. DeKok [Tue, 2 Sep 2014 16:04:12 +0000 (12:04 -0400)]
Use new fr_getgid() function. Addresses #776
Alan T. DeKok [Tue, 2 Sep 2014 15:47:13 +0000 (11:47 -0400)]
Add and expose fr_getgid(). Addresses #776
The current users of getgwnam() don't need the entire group
structure. They just need the gid. So we create a function
which returns that.
Alan T. DeKok [Tue, 2 Sep 2014 13:00:42 +0000 (09:00 -0400)]
Use getpwnam_r() and getgrnam_r() if available. Closes #775.
If the user is building threaded on a system without those functions,
too bad. It's 2014, and every sane system has those functions
Alan T. DeKok [Tue, 2 Sep 2014 12:28:49 +0000 (08:28 -0400)]
Add autoconf checks for getpwnam_r and getgrnam_r.
Right now, only the checks are included. The functions aren't
used at all.
Alan T. DeKok [Mon, 1 Sep 2014 19:20:48 +0000 (15:20 -0400)]
Make sqlippool handle IPv6 prefixes
Alan T. DeKok [Mon, 1 Sep 2014 16:33:38 +0000 (12:33 -0400)]
Free the correct variable. Closes CID #1233596
Alan T. DeKok [Mon, 1 Sep 2014 14:39:11 +0000 (10:39 -0400)]
Use fr_rand() instead of random(). It's stronger.
Alan T. DeKok [Mon, 1 Sep 2014 14:37:03 +0000 (10:37 -0400)]
Use memmove instead of memcpy. Fixes coverity complaint.
But doesn't change anything, because "hdr_len" is always a small
value. It's just not checked as such, so coverity doesn't pick up
on it
Alan T. DeKok [Sun, 31 Aug 2014 14:30:27 +0000 (10:30 -0400)]
Remove old portability cruft
Alan T. DeKok [Sun, 31 Aug 2014 14:12:24 +0000 (10:12 -0400)]
Don't confuse the scanner
Alan T. DeKok [Sun, 31 Aug 2014 14:09:53 +0000 (10:09 -0400)]
vpt may be NULL
Alan T. DeKok [Sun, 31 Aug 2014 14:05:07 +0000 (10:05 -0400)]
Use correct name for struct entries
Alan T. DeKok [Sun, 31 Aug 2014 14:02:09 +0000 (10:02 -0400)]
Return correct code for error
Alan T. DeKok [Sun, 31 Aug 2014 13:54:22 +0000 (09:54 -0400)]
Formatting helps
Alan T. DeKok [Sun, 31 Aug 2014 13:50:05 +0000 (09:50 -0400)]
Added dictionary for RFC 7268
Alan T. DeKok [Sun, 31 Aug 2014 12:50:15 +0000 (08:50 -0400)]
run ./format.pl
Alan T. DeKok [Sun, 31 Aug 2014 12:49:27 +0000 (08:49 -0400)]
Enable new dictionaries and fix minor issues
Mathieu Simon [Sun, 31 Aug 2014 08:36:06 +0000 (10:36 +0200)]
dictionary.trapeze: Add attribute
- Trapeze-Audit seems to be a accounting-only value that
contains logging data for audit as the attribute says.
- Since MSS software still seems to be developed by Juniper
add a Juniper reference and remove the mail address as the
domain redirects to Juniper.com these days.
Mathieu Simon [Sun, 31 Aug 2014 09:28:27 +0000 (11:28 +0200)]
Add 3 attributes to the Bay dict. (Nortel/Avaya)
Found in the Avaya AAA for ERS and ES Technical Configuration
Guide from 2010 as publicly available at Avaya.
Some attributes have been changed by Avaya but left unchanged here
to not break existing installations.
Mathieu Simon [Sun, 11 May 2014 20:46:38 +0000 (22:46 +0200)]
dictionary.altiga: Fix small typo & space-to-tab
Try unifying mixed usage of spaces and tabs (later seems more common)
then pass with the formatter.
Mathieu Simon [Sun, 9 Feb 2014 09:55:56 +0000 (10:55 +0100)]
Add newly found attribute to dictionary.telebit
Found in: Cisco Prime Access Registrar 6.0.1 Users Guide
Chapter: RADIUS Attributes.
Telebit has been bought quite some time ago, that's why
the references come from Cisco.
Mathieu Simon [Sun, 31 Aug 2014 09:07:46 +0000 (11:07 +0200)]
Add Ruckus dictionary
Compiled out of a Ruckus user guides and tech notes
publicly available on the Ruckus website.
Mathieu Simon [Sun, 11 May 2014 20:44:26 +0000 (22:44 +0200)]
Add Compatible Systems dictionary
Add Compatible Systems Corp. dictionary as found in the
Cisco Prime Access Registrar 6.1 User Guide.
Includes historical note about Compatible Systems's acquisition
in case someone is (still) looking for documentation.
Alan T. DeKok [Sat, 30 Aug 2014 14:34:43 +0000 (10:34 -0400)]
Clarify behavior of inner-tunnel replies
Alan T. DeKok [Sat, 30 Aug 2014 14:08:53 +0000 (10:08 -0400)]
Move suppression of debugging messages to a better place. Closes #772
vradlog() should always log. It's static to log.c, so the *callers*
should take care to avoid calling vradlog().
The checks for debugging messages are pushed to radlog(), which
is the external API.
Added a static radlog_always(), which always calls vradlog().
It's just a wrapper to deal with the varargs stuff.
The vradlog_request() function now calls radlog_always(), as
vradlog_request() takes care of checking if debugging is enabled.
Alan T. DeKok [Sat, 30 Aug 2014 13:42:09 +0000 (09:42 -0400)]
Remove unnecessary debug message
Arran Cudbard-Bell [Fri, 29 Aug 2014 19:38:08 +0000 (21:38 +0200)]
Use memcp for string comparisons to be \0 safe
Arran Cudbard-Bell [Fri, 29 Aug 2014 19:34:23 +0000 (21:34 +0200)]
Few more...
Arran Cudbard-Bell [Fri, 29 Aug 2014 19:26:50 +0000 (21:26 +0200)]
Fixup default virtual servers and policies to use &references
Alan T. DeKok [Fri, 29 Aug 2014 16:30:58 +0000 (12:30 -0400)]
Ensure that dictionary.dhcp is loaded
Alan T. DeKok [Fri, 29 Aug 2014 16:25:56 +0000 (12:25 -0400)]
Clearer docs for use_tunneled_reply
Arran Cudbard-Bell [Fri, 29 Aug 2014 16:30:21 +0000 (18:30 +0200)]
Doxygen
Alan T. DeKok [Fri, 29 Aug 2014 16:15:31 +0000 (12:15 -0400)]
As posted to the list
Conflicts:
share/dictionary.bluecoat
Arran Cudbard-Bell [Fri, 29 Aug 2014 15:14:33 +0000 (17:14 +0200)]
Using attribute references in conditions should allow access to the raw string (without escaping)
Alan T. DeKok [Fri, 29 Aug 2014 13:48:38 +0000 (09:48 -0400)]
The Error-Message is an ASCII string
Arran Cudbard-Bell [Fri, 29 Aug 2014 13:42:08 +0000 (15:42 +0200)]
Make connection pool sharing messages slightly clearer
Alan T. DeKok [Fri, 29 Aug 2014 13:18:16 +0000 (09:18 -0400)]
Do the right chmod
Alan T. DeKok [Thu, 28 Aug 2014 19:35:01 +0000 (15:35 -0400)]
Note recent changes
Arran Cudbard-Bell [Fri, 29 Aug 2014 10:58:59 +0000 (12:58 +0200)]
Allow 'plain' as a valid WEB API type
Arran Cudbard-Bell [Fri, 29 Aug 2014 10:55:12 +0000 (12:55 +0200)]
Fix issue in configured 'forced' types
Arran Cudbard-Bell [Fri, 29 Aug 2014 10:44:24 +0000 (12:44 +0200)]
Print out error message returned by the server
Arran Cudbard-Bell [Fri, 29 Aug 2014 09:38:36 +0000 (11:38 +0200)]
Disable cert validation when pre-establishing connections in rlm_rest
We don't have a valid TLS configuration to use.
libcurl appears to do the right thing, and validate the cert when reconfigured to for subsequent requests.
We tell libcurl to *only* establish the connection and not send any data, so there's no chance of us
leaking sensitive information.
Alan T. DeKok [Thu, 28 Aug 2014 19:30:24 +0000 (15:30 -0400)]
Allow comparisons between integers of different size
Alan T. DeKok [Thu, 28 Aug 2014 19:05:52 +0000 (15:05 -0400)]
We might have a cast, too
Alan T. DeKok [Thu, 28 Aug 2014 18:58:42 +0000 (14:58 -0400)]
Assume that the permissions are correct
Arran Cudbard-Bell [Thu, 28 Aug 2014 18:51:15 +0000 (20:51 +0200)]
Document new rest configuration items
Arran Cudbard-Bell [Thu, 28 Aug 2014 17:00:57 +0000 (19:00 +0200)]
Print HTTP response on RDEBUG3
Alan T. DeKok [Thu, 28 Aug 2014 16:33:08 +0000 (12:33 -0400)]
Don't convert attributes of incompatible type
Alan T. DeKok [Thu, 28 Aug 2014 16:11:10 +0000 (12:11 -0400)]
use the correct struct entries for comparisons
Alan T. DeKok [Thu, 28 Aug 2014 14:02:46 +0000 (10:02 -0400)]
Ensure that the error message has leading tabs, too.
Just copy them over from the input. This means that the error
message is lined up with the text we're complaining about
Alan T. DeKok [Thu, 28 Aug 2014 13:37:02 +0000 (09:37 -0400)]
Just use "int" for return codes instead of int8_t