Herwin Weststrate [Tue, 22 Jul 2014 15:56:57 +0000 (17:56 +0200)]
Fix error in attribute copying to rlm_perl
Introduced in commit
c225c615760d4c907640ebd249f860d5ab3258dd. It copied the RAD_REPLY hash twice, which had the side effects that some keys dropped out.
Herwin Weststrate [Tue, 15 Jul 2014 10:04:13 +0000 (12:04 +0200)]
Debian: Ensure some directories exist
This prevents some warnings when installing the package.
Arran Cudbard-Bell [Mon, 21 Jul 2014 14:30:18 +0000 (10:30 -0400)]
Other perl formatting
Arran Cudbard-Bell [Mon, 21 Jul 2014 14:25:25 +0000 (10:25 -0400)]
Fix multivalues attributes in rlm_perl. Addresses #731, Addresses #722
root [Mon, 21 Jul 2014 06:42:42 +0000 (06:42 +0000)]
Add the gigawords calculation for MSSQL in accounting stop SQL clause
Herwin Weststrate [Sun, 20 Jul 2014 08:57:21 +0000 (10:57 +0200)]
Added a NULL check to rlm_perl
Otherwise, trying to start rlm_perl with an invalid file parameter would cause a segfault.
Arran Cudbard-Bell [Wed, 16 Jul 2014 18:51:30 +0000 (14:51 -0400)]
Merge pull request #732 from nchaigne/v3.0.x
dhcpclient - timeout and decline, release, inform
Arran Cudbard-Bell [Wed, 16 Jul 2014 18:50:27 +0000 (14:50 -0400)]
Merge pull request #734 from spbnick/switch_cnf_to_sha256
Switch .cnf files to sha256 message digest
Arran Cudbard-Bell [Wed, 16 Jul 2014 18:50:08 +0000 (14:50 -0400)]
Merge pull request #736 from spbnick/add_rlm_krb5_doc
Add minimal rlm_krb5 documentation file
Arran Cudbard-Bell [Wed, 16 Jul 2014 18:49:51 +0000 (14:49 -0400)]
Merge pull request #735 from spbnick/add_P_option_to_man_pages
Add description of -P option to man pages
Arran Cudbard-Bell [Wed, 16 Jul 2014 18:49:22 +0000 (14:49 -0400)]
Merge pull request #733 from spbnick/clarify_snmp_trap_conditions
Clarify conditions of limit hit SNMP notifications
Nikolai Kondrashov [Wed, 16 Jul 2014 16:59:03 +0000 (19:59 +0300)]
Add description of -P option to man pages
Add description of -P option to radtest and radclient man pages.
Nikolai Kondrashov [Wed, 16 Jul 2014 17:04:20 +0000 (20:04 +0300)]
Clarify conditions of limit hit SNMP notifications
Use "hit" instead of "reach" in the descriptions of serverMaxRequest and
serverMaxThreads SNMP notifications to make it clearer that they trigger
upon attempt to exceed the limit, not upon reaching the maximum allowed
value.
Nikolai Kondrashov [Wed, 16 Jul 2014 17:22:40 +0000 (20:22 +0300)]
Switch .cnf files to sha256 message digest
Use sha256 as default_md (message digest) in all .cnf files as it is
more secure than the previous, now considered weak, sha1.
Nikolai Kondrashov [Wed, 16 Jul 2014 17:47:53 +0000 (20:47 +0300)]
Add minimal rlm_krb5 documentation file
Add doc/modules/rlm_krb5 - a minimal rlm_krb5 module documentation file,
based on the wiki page. Update raddb/mods-available/krb5 comments to
point to the actual and proper location.
Nicolas C [Wed, 16 Jul 2014 14:16:59 +0000 (16:16 +0200)]
dhcpclient - timeout and decline, release, inform
Added receive timeout on socket according to -t option (retries are
still not handled).
Added commands for "decline", "release" and "inform" messages.
Updated usage.
Alan T. DeKok [Tue, 15 Jul 2014 12:11:50 +0000 (08:11 -0400)]
More changes
Alan T. DeKok [Tue, 15 Jul 2014 12:06:01 +0000 (08:06 -0400)]
Note recent changes
jvoisin [Mon, 14 Jul 2014 23:34:42 +0000 (19:34 -0400)]
Check BN_rand_range return value
CVE-2014-4733.
In practice, the function should never fail.
jvoisin [Mon, 14 Jul 2014 23:31:02 +0000 (19:31 -0400)]
Constant time memory comparison.
CVE-2014-4731.
Non-constant time comparisons usually require millions of packets
in order to get enough statistics. This is VERY hard to do with
WiFi or wired 802.1X. The delays on switch port open / close
are on the order of seconds.
jvoisin [Mon, 14 Jul 2014 23:29:06 +0000 (19:29 -0400)]
Use *_clear_free instead of *_free.
CVE-2014-4732
Arran Cudbard-Bell [Sat, 12 Jul 2014 19:02:20 +0000 (15:02 -0400)]
Update ChangeLog
Arran Cudbard-Bell [Sat, 12 Jul 2014 17:41:47 +0000 (13:41 -0400)]
Add module type sanity check
Arran Cudbard-Bell [Sat, 12 Jul 2014 14:28:06 +0000 (10:28 -0400)]
Add support for connection pool reuse
Arran Cudbard-Bell [Thu, 10 Jul 2014 20:45:48 +0000 (16:45 -0400)]
Convert another argument to bool
Alan DeKok [Sat, 12 Jul 2014 13:40:30 +0000 (09:40 -0400)]
Merge pull request #730 from nchaigne/v3.0.x
dhcpclient - store xid when encoding request
Nicolas C [Fri, 11 Jul 2014 16:16:46 +0000 (18:16 +0200)]
dhcpclient - store xid when encoding request
Fixes the incorrect debug message "Encoding DHCP-Discover of id
ffffffff".
And this will allow to correlate xid from response (should be done by
the client, but not yet).
Arran Cudbard-Bell [Thu, 10 Jul 2014 16:40:17 +0000 (12:40 -0400)]
Typo
Arran Cudbard-Bell [Thu, 10 Jul 2014 16:35:05 +0000 (12:35 -0400)]
Formatting and documentation
Sam Hartman [Thu, 10 Jul 2014 11:41:09 +0000 (07:41 -0400)]
find_client: min prefix of 0 needs to work
Use signed loop counter to permit 0-1 to be <= min_prefix
Sam Hartman [Thu, 10 Jul 2014 13:42:18 +0000 (09:42 -0400)]
fr_inaddr_mask fix 0 prefix
Don't depend on the behavior of shifting by 32-bits on a 32-bit type.
Alan T. DeKok [Thu, 10 Jul 2014 03:21:52 +0000 (23:21 -0400)]
Allow User-Name in CUI reply
Alan T. DeKok [Wed, 9 Jul 2014 19:33:24 +0000 (15:33 -0400)]
Use loop index to get description. Closes #729
Alan T. DeKok [Wed, 9 Jul 2014 19:27:37 +0000 (15:27 -0400)]
A parent config section might not exist
when dynamically adding a home server.
Arran Cudbard-Bell [Wed, 9 Jul 2014 16:34:30 +0000 (12:34 -0400)]
Remove useless extern declarations
Arran Cudbard-Bell [Wed, 9 Jul 2014 15:26:34 +0000 (11:26 -0400)]
Cleanup EAP-SIM macros
Arran Cudbard-Bell [Wed, 9 Jul 2014 15:25:26 +0000 (11:25 -0400)]
Debug condition is now a fr_cond_t
Arran Cudbard-Bell [Wed, 9 Jul 2014 15:12:23 +0000 (11:12 -0400)]
Limit which operators can be used with LDAP group comparison
and other minor cleanups
Arran Cudbard-Bell [Wed, 9 Jul 2014 00:09:19 +0000 (20:09 -0400)]
Formatting
Arran Cudbard-Bell [Wed, 9 Jul 2014 00:09:00 +0000 (20:09 -0400)]
Fixup Sqlite schema
Stefan Paetow [Tue, 8 Jul 2014 08:45:01 +0000 (09:45 +0100)]
Update cui
Updated comments to clarify the dual purpose of the unlang fragment.
Arran Cudbard-Bell [Tue, 8 Jul 2014 03:23:25 +0000 (23:23 -0400)]
Try and make dlopen library search messages clearer
Alan T. DeKok [Tue, 8 Jul 2014 02:35:12 +0000 (22:35 -0400)]
Remove reply:User-Name only if there's a reply:CUI
Herwin Weststrate [Sun, 6 Jul 2014 10:37:27 +0000 (12:37 +0200)]
Changed integer type for rlm_eap_{ttls,peap} tunnel types to bool where applicable
Herwin Weststrate [Sun, 6 Jul 2014 10:55:03 +0000 (12:55 +0200)]
Use enums instead of define lists in rlm_eap_peap
But only for the values that are only used internally.
Arran Cudbard-Bell [Mon, 7 Jul 2014 18:28:21 +0000 (14:28 -0400)]
Formatting
Alan T. DeKok [Mon, 7 Jul 2014 16:09:28 +0000 (12:09 -0400)]
As posted to the list
Arran Cudbard-Bell [Fri, 4 Jul 2014 15:08:19 +0000 (11:08 -0400)]
Merge pull request #725 from nchaigne/v3.0.x
radeapclient - fix send_packet
Nicolas C [Fri, 4 Jul 2014 15:03:33 +0000 (17:03 +0200)]
radeapclient - fix send_packet
I spotted two errors in radeapclient.c, introduced in the following
previous commits.
With this fix, radeapclient is now useable again.
1)
Commit:
c8a062a112f17a5810d311dc0e0acfe963b2d440
(2014/06/13)
- send_packet(rep, &req);
-
- if (!req) return -1;
+ send_packet(req, &rep);
+ if (!rep) {
Arguments got reversed. Hence segmentation fault later when doing:
for (vp = req->vps; vp != NULL; vp = vpnext) {
Bit of caution on the wording used in radeapclient:
"req" is the request coming FROM the server. (because this is not a
"request" in RADIUS sense, but an EAP-Request within the EAP-SIM
transaction.)
"rep" is the response from the client TO the server (EAP-Response).
2)
Commit:
bc3676835c3dcc220ab518d4c3c35962bc0f8be2
(2014/05/02)
In "send_packet":
+ if (!req || !rep || !*rep) return -1;
*rep == NULL is the expected behaviour...
Philippe Wooding [Fri, 4 Jul 2014 10:33:44 +0000 (12:33 +0200)]
In redhat spec file, update dependency on json-c to version 0.10 as 0.11 only exists for fedora and 0.10 builds ok
Philippe Wooding [Fri, 4 Jul 2014 10:29:29 +0000 (12:29 +0200)]
Update redhat spec file to reflect the fact rlm_host is no longer experimental.
Alan T. DeKok [Wed, 2 Jul 2014 23:59:51 +0000 (19:59 -0400)]
Use correct type for length
Alan T. DeKok [Wed, 2 Jul 2014 23:45:37 +0000 (19:45 -0400)]
No need for casting in talloc_array_length()
Alan T. DeKok [Wed, 2 Jul 2014 23:43:51 +0000 (19:43 -0400)]
rad_vp2attr() returns -1 on error, 0 on "not enough room"
Kevin Wasserman [Wed, 2 Jul 2014 11:56:39 +0000 (07:56 -0400)]
Channel bindings fixes
-fix size calculation
-skip unwanted attrs when copying
-add safety check to copy code in case size is wrong
-add cast to get correct result from talloc_array_length()
Kevin Wasserman [Mon, 30 Jun 2014 15:41:32 +0000 (11:41 -0400)]
Don't call free on talloc'ed channel bindings packet
Kevin Wasserman [Sat, 28 Jun 2014 09:22:25 +0000 (05:22 -0400)]
Fix cursor initialization bugs in eap_chbind_vp2packet
Herwin Weststrate [Wed, 2 Jul 2014 17:21:01 +0000 (19:21 +0200)]
Fixed adding attributes with multiple values to rlm_perl
Without this fix, the array in Perl would start with the value of the
first attribute in the packet, combined with the actual values of the
attribute.
The debug log would look like this:
$RAD_REPLY{'User-Name'}[0] = &reply:User-Name -> 'anonymous'
$RAD_REPLY{'h323-credit-amount'}[1] = &reply:h323-credit-amount -> '100'
$RAD_REPLY{'h323-credit-amount'}[2] = &reply:h323-credit-amount -> '101'
The actual value of $RAD_REPLY{'h323-credit-amount'} is
['anonymous','100','101']
Arran Cudbard-Bell [Tue, 1 Jul 2014 17:48:25 +0000 (13:48 -0400)]
Merge pull request #719 from nchaigne/v3.0.x
3.0.x - Make EAP-SIM work again - proper encoding of EAP-SIM attributes ...
Nicolas C [Tue, 1 Jul 2014 15:03:03 +0000 (17:03 +0200)]
3.0.x - Make EAP-SIM work again - proper encoding of EAP-SIM attributes within EAP-Message
This fix follows the issue I logged (on the mailing list, not on GitHub)
on June 11th.
As a reminder, the problem happened after a commit which (among other
things) modified the EAP-SIM attributes.
Since this commit, EAP-SIM authentication do not work because
EAP-Message is not properly encoded anymore by FreeRADIUS.
I believe the commit is the following:
https://github.com/FreeRADIUS/freeradius-server/commit/
39df09e42d80a96363be0bddee2ff0ba97fdb035
So, here is a fix.
I also fixed the attributes issue in radeapclient, but at the moment the
binary is unusable: it crashes, and I don't have time to look into this.
(I tested the fix with another EAP client)
Arran Cudbard-Bell [Tue, 1 Jul 2014 13:58:31 +0000 (09:58 -0400)]
Inline breaks linking?
Arran Cudbard-Bell [Tue, 1 Jul 2014 13:44:50 +0000 (09:44 -0400)]
Fix capitalisation in UKERNA dictionary Fixes #718
Arran Cudbard-Bell [Tue, 1 Jul 2014 13:11:21 +0000 (09:11 -0400)]
Other things still reference dict_attr_allowed_chars
Herwin Weststrate [Mon, 30 Jun 2014 10:46:24 +0000 (12:46 +0200)]
Fixed reference to config file
Herwin Weststrate [Thu, 26 Jun 2014 12:04:55 +0000 (14:04 +0200)]
Readability fixes in mods-available/perl
Alignment is now stable with any tab width.
Herwin Weststrate [Tue, 17 Jun 2014 16:00:46 +0000 (18:00 +0200)]
Fixed typo in rlm_sql.c
s/afftected/affected/
Herwin Weststrate [Mon, 16 Jun 2014 15:05:58 +0000 (17:05 +0200)]
Fixed some tabs/spaces in default virtual server
Arran Cudbard-Bell [Mon, 30 Jun 2014 18:25:40 +0000 (19:25 +0100)]
Use RFC language in eap.c messages
Arran Cudbard-Bell [Mon, 30 Jun 2014 18:19:31 +0000 (19:19 +0100)]
No need to call exit twice
Arran Cudbard-Bell [Mon, 30 Jun 2014 18:18:27 +0000 (19:18 +0100)]
Better errors on junk chars in dict.c
Alan T. DeKok [Fri, 27 Jun 2014 15:03:35 +0000 (11:03 -0400)]
We can now use talloc_free() for listeners
Alan T. DeKok [Fri, 27 Jun 2014 15:03:12 +0000 (11:03 -0400)]
Proxy sockets use common_socket_free(). Closes #680
Alan T. DeKok [Fri, 27 Jun 2014 14:51:50 +0000 (10:51 -0400)]
The default secret is "radsec"
Alan T. DeKok [Fri, 27 Jun 2014 14:47:44 +0000 (10:47 -0400)]
Now that we have default IPv6 listeners, have a v6 client, too
Alan T. DeKok [Fri, 27 Jun 2014 13:19:44 +0000 (09:19 -0400)]
No need for an empty function
Alan T. DeKok [Fri, 27 Jun 2014 13:01:14 +0000 (09:01 -0400)]
Move checks for virtual_server to listen_parse()
Which is better than scattering them through the code.
Arran Cudbard-Bell [Fri, 27 Jun 2014 13:47:07 +0000 (14:47 +0100)]
IKEv2 fixes required on our side
Arran Cudbard-Bell [Fri, 27 Jun 2014 11:30:49 +0000 (12:30 +0100)]
Assume RFC 3542 compliance for IPv6 socket options, which fixes IPv6 support on FreeBSD 10.0
Arran Cudbard-Bell [Fri, 27 Jun 2014 10:09:29 +0000 (11:09 +0100)]
Confusing comments
Arran Cudbard-Bell [Fri, 27 Jun 2014 10:01:08 +0000 (11:01 +0100)]
Fix for ptrace check under FreeBSD
Arran Cudbard-Bell [Thu, 26 Jun 2014 20:41:22 +0000 (21:41 +0100)]
Use standard return codes
Arran Cudbard-Bell [Thu, 26 Jun 2014 19:34:38 +0000 (20:34 +0100)]
Convert binary values to octets type attributes correctly
Arran Cudbard-Bell [Thu, 26 Jun 2014 19:34:12 +0000 (20:34 +0100)]
Rename vpsname to list_name
Add array indexes to multivalued attributes
Arran Cudbard-Bell [Thu, 26 Jun 2014 17:12:24 +0000 (18:12 +0100)]
Fixup debugging and formatting in rlm_perl
Herwin Weststrate [Thu, 26 Jun 2014 12:17:57 +0000 (14:17 +0200)]
Improve debug logging of rlm_perl
Don't just show the attributes being copied, but also say where they are
copied from/to.
Alan T. DeKok [Thu, 26 Jun 2014 12:33:32 +0000 (08:33 -0400)]
Set a timer for marking a home server dead. Closes #712
Alan T. DeKok [Thu, 26 Jun 2014 12:20:15 +0000 (08:20 -0400)]
Note recent changes
Alan T. DeKok [Thu, 26 Jun 2014 12:17:30 +0000 (08:17 -0400)]
Pass2 for attributes in existence checks
if (&foo-LDAP-Group) {
...
}
Arran Cudbard-Bell [Thu, 26 Jun 2014 11:00:57 +0000 (12:00 +0100)]
Update ChangeLog
Arran Cudbard-Bell [Thu, 26 Jun 2014 10:59:00 +0000 (11:59 +0100)]
Update ChangeLog
Arran Cudbard-Bell [Thu, 26 Jun 2014 10:55:53 +0000 (11:55 +0100)]
Remove redundant includes of netinet/in.h
Arran Cudbard-Bell [Thu, 26 Jun 2014 10:55:40 +0000 (11:55 +0100)]
Set errno appropriately if we're building without IPv6 support and an IPv6 socket is requested
Arran Cudbard-Bell [Thu, 26 Jun 2014 10:55:12 +0000 (11:55 +0100)]
Define __APPLE_USER_RFC_2292 so the IPv6 socket options are exposed on OSX
Herwin Weststrate [Thu, 26 Jun 2014 09:59:13 +0000 (11:59 +0200)]
Updated some required packages for Debian build
With newer version of Debian (Jessie) or Ubuntu (Trusty), the packages
libjson0{,-dev} are transitional packages. Prefer their replacements if
they're available.
Arran Cudbard-Bell [Thu, 26 Jun 2014 08:17:11 +0000 (09:17 +0100)]
Use sizeof
Arran Cudbard-Bell [Thu, 26 Jun 2014 00:24:19 +0000 (01:24 +0100)]
Check return code of write
Arran Cudbard-Bell [Wed, 25 Jun 2014 23:03:38 +0000 (00:03 +0100)]
Use _fr_fault_log by default
Arran Cudbard-Bell [Wed, 25 Jun 2014 22:29:45 +0000 (23:29 +0100)]
Only register fr_fault signal handlers if we're not running under a debugger
Alan T. DeKok [Wed, 25 Jun 2014 21:20:19 +0000 (17:20 -0400)]
Allow delayed references to attributes. Helps with #711
The short answer for the issue is to use attribute references.
if (&ldap-psec-Ldap-Group == "Professors") {
...
}
however, using "&" would result in an error. This commit allows
the "&", which will make the check work.
Alan T. DeKok [Wed, 25 Jun 2014 20:30:51 +0000 (16:30 -0400)]
Just print out what we have for debugging.