Merge branch 'v3.0.x' into tr-integ

author Kevin Wasserman <krwasserman@painless-security.com>

Sun, 7 Sep 2014 15:11:18 +0000 (11:11 -0400)

committer Kevin Wasserman <krwasserman@painless-security.com>

Sun, 7 Sep 2014 15:11:18 +0000 (11:11 -0400)
author Kevin Wasserman <krwasserman@painless-security.com>
Sun, 7 Sep 2014 15:11:18 +0000 (11:11 -0400)
committer Kevin Wasserman <krwasserman@painless-security.com>
Sun, 7 Sep 2014 15:11:18 +0000 (11:11 -0400)
diff --cc raddb/mods-available/abfab_psk_sql

index 6a5c5cb,d75130d..022f79d
--- 1/raddb/mods-available/abfab_psk_sql
--- 2/raddb/mods-available/abfab_psk_sql
+++ b/raddb/mods-available/abfab_psk_sql
@@@ -1,10 -1,15 +1,25 @@@
++<<<<<<< HEAD
+ +#Module for PSK authorizations from ABFAb trust router
++=======
+ # -*- text -*-
+ ##
+ ## Module for PSK authorizations from ABFAB trust router
+ ##
+ ##    $Id$
+ 
++>>>>>>> v3.0.x
   sql psksql {
   
           driver = "rlm_sql_sqlite"
   
         sqlite {
                 filename = "/var/lib/trust_router/keys"
++<<<<<<< HEAD
+ +              }
+ +
+ +      }
++=======
+       }
+ 
+ }
++>>>>>>> v3.0.x
diff --cc raddb/policy.d/abfab-tr

index 4cd4f94,2b98329..b55adc8
--- 1/raddb/policy.d/abfab-tr
--- 2/raddb/policy.d/abfab-tr
+++ b/raddb/policy.d/abfab-tr
@@@ -19,22 -27,24 +27,23 @@@ abfab_pre_proxy 
                         reject
                 }
         }
-       # set trust-router-coi attribute from client configuration
+ 
+       # set trust-router-coi attribute from the client configuration
- -      if ("%{client:trust-router_coi}") {
+ +      if ("%{client:trust_router_coi}") {
                 update proxy-request {
-                       trust-router-coi := "%{client:trust_router_coi}"
- -                      Trust-Router-COI := "%{client:moonshot_coi}"
++                      Trust-Router-COI := "%{client:trust_router_coi}"
                 }
         }
-       # set gss-acceptor-realm-name attribute from client configuration
+ 
+       # set gss-acceptor-realm-name attribute from the client configuration
         if ("%{client:gss_acceptor_realm_name}") {
                 update proxy-request {
-                       gss-acceptor-realm-name := "%{client:gss_acceptor_realm_name}"
+                       GSS-Acceptor-Realm-Name := "%{client:gss_acceptor_realm_name}"
                 }
         }
   }
   
--#
- #  A virtual server which is used to validate channel-bindings.
+ #  A policy which is used to validate channel-bindings.
   #
   abfab_channel_bindings {
         if (GSS-Acceptor-Service-Name && (outer.request:GSS-Acceptor-Service-Name != GSS-Acceptor-Service-Name)) {
diff --cc raddb/sites-available/abfab-tls

index ede0472,1151c38..f1233e2
--- 1/raddb/sites-available/abfab-tls
--- 2/raddb/sites-available/abfab-tls
+++ b/raddb/sites-available/abfab-tls
@@@ -1,12 -1,17 +1,26 @@@
++<<<<<<< HEAD
++=======
+ #
+ #     Example configuration for ABFAB listening on TLS.
+ #
+ #     $Id$
+ #
++>>>>>>> v3.0.x
   listen {
         ipaddr = *
         port = 2083
         type = auth
         proto = tcp
   
++<<<<<<< HEAD
+ +      clients = radsec-abfab
+ +      tls {
+ +              private_key_password = whatever
++=======
+       tls {
+               private_key_password = whatever
+ 
++>>>>>>> v3.0.x
                 # Moonshot tends to distribute certs separate from keys
                 private_key_file = ${certdir}/server.key
                 certificate_file = ${certdir}/server.pem
@@@ -15,24 -20,31 +29,53 @@@
                 fragment_size = 8192
                 ca_path = ${cadir}
                 cipher_list = "DEFAULT"
++<<<<<<< HEAD
+ +              cache {
+ +                enable = no
+ +                lifetime = 24 # hours
+ +                max_entries = 255
+ +                }
+ +
+ +                require_client_cert = yes
+ +                verify {
+ +      }
+ +                psk_query = "%{psksql:select hex(key) from psk_keys where keyid = '%{tls-psk-identity}';}"
+ +              }
+ +      virtual_server = abfab-idp
+ +}
+ +      clients radsec-abfab {
+ +              client default {
+ +                      ipaddr = 0.0.0.0/0
+ +
+ +                      proto = tls
+ +
++=======
+ 
+               cache {
+                       enable = no
+                       lifetime = 24 # hours
+                       max_entries = 255
+               }
+ 
+               require_client_cert = yes
+               verify {
+               }
+ 
+               psk_query = "%{psksql:select hex(key) from psk_keys where keyid = '%{TLS-PSK-Udentity}'}"
+       }
+ 
+       virtual_server = abfab-idp
+ 
+       clients = radsec-abfab
+ }
+ 
+ clients radsec-abfab {
+       #
+       #  Allow all clients, but require TLS.
+       #
+         client default {
+               ipaddr = 0.0.0.0/0
+               proto = tls
++>>>>>>> v3.0.x
         }
   }
diff --cc src/main/process.c
Simple merge
diff --cc src/main/realms.c
Simple merge
author	Kevin Wasserman <krwasserman@painless-security.com>
	Sun, 7 Sep 2014 15:11:18 +0000 (11:11 -0400)
committer	Kevin Wasserman <krwasserman@painless-security.com>
	Sun, 7 Sep 2014 15:11:18 +0000 (11:11 -0400)
		1	2
raddb/mods-available/abfab_psk_sql	patch \|	diff1 \|	diff2 \|	blob \| history
raddb/policy.d/abfab-tr	patch \|	diff1 \|	diff2 \|	blob \| history
raddb/sites-available/abfab-tls	patch \|	diff1 \|	diff2 \|	blob \| history
src/main/process.c	patch \|	diff1 \|	diff2 \|	blob \| history
src/main/realms.c	patch \|	diff1 \|	diff2 \|	blob \| history