Alan T. DeKok [Wed, 17 May 2017 16:06:57 +0000 (12:06 -0400)]
move shutdown calls into check for ssn->ssl. Found by PVS-Studio
Alan T. DeKok [Wed, 17 May 2017 16:03:46 +0000 (12:03 -0400)]
check sizeof(*packet). Found by PVS-Studio
Alan T. DeKok [Wed, 17 May 2017 15:51:44 +0000 (11:51 -0400)]
check ptr before dereferencing it. Found by PVS-Studio
Alan T. DeKok [Wed, 17 May 2017 15:50:36 +0000 (11:50 -0400)]
remove redundant declaration. Found by PVS-Studio
Alan T. DeKok [Wed, 17 May 2017 15:46:57 +0000 (11:46 -0400)]
move assertion to correct place. Found by PVS-Studio
Alan T. DeKok [Wed, 17 May 2017 15:46:12 +0000 (11:46 -0400)]
remove redundant assignment. Found by PVS-Studio
Alan T. DeKok [Wed, 17 May 2017 15:44:48 +0000 (11:44 -0400)]
move assertion to top of function. Found by PVS-Studio
Alan T. DeKok [Wed, 17 May 2017 15:42:54 +0000 (11:42 -0400)]
fix wrong assertion. Found by PVS-Studio
Alan T. DeKok [Wed, 17 May 2017 15:41:57 +0000 (11:41 -0400)]
check for OOM. Found by PVS-Studio
Alan T. DeKok [Wed, 17 May 2017 15:39:07 +0000 (11:39 -0400)]
check before dereference. Found by PVS-Studio
Alan T. DeKok [Wed, 17 May 2017 15:35:20 +0000 (11:35 -0400)]
don't assign wrong enum to variable. Found by PVS-Studio
Alan T. DeKok [Wed, 17 May 2017 15:27:45 +0000 (11:27 -0400)]
remove redundant check. Found by PVS-Studio
Alan T. DeKok [Wed, 17 May 2017 15:26:54 +0000 (11:26 -0400)]
don't use i for inner and outer loop. Found by PVS-Studio
Alan T. DeKok [Wed, 17 May 2017 15:25:44 +0000 (11:25 -0400)]
remove duplicate checks. Found by PVS-Studio
Alan DeKok [Fri, 19 May 2017 18:06:40 +0000 (14:06 -0400)]
Merge pull request #1989 from Sp1l/v3.0.x
Fix build with LibreSSL
Alan T. DeKok [Tue, 16 May 2017 12:07:12 +0000 (08:07 -0400)]
use correct packet for channel binding. Closes #1990
Alan T. DeKok [Fri, 12 May 2017 13:16:00 +0000 (09:16 -0400)]
create string only if it's needed
Alan T. DeKok [Fri, 12 May 2017 13:08:04 +0000 (09:08 -0400)]
use RDEBUG
Alan T. DeKok [Thu, 11 May 2017 14:06:19 +0000 (10:06 -0400)]
remove always-false condition
Bernard Spil [Sun, 14 May 2017 13:45:23 +0000 (15:45 +0200)]
Fix build with LibreSSL
LibreSSL does not have X509_get0_extensions and was forked from 0x1000200fL
See also: https://bugs.freebsd.org/218225
Alan DeKok [Fri, 12 May 2017 11:17:24 +0000 (07:17 -0400)]
Merge pull request #1988 from alejandro-perez/v3.0.x
Fix typo in previous commit
Alejandro Perez [Thu, 11 May 2017 16:16:20 +0000 (18:16 +0200)]
Fix typo in previous commit.
Alan T. DeKok [Thu, 11 May 2017 14:04:22 +0000 (10:04 -0400)]
re-order old names. New names come second...
Alan T. DeKok [Thu, 11 May 2017 13:59:14 +0000 (09:59 -0400)]
convert assertion to run-time check.
Alan T. DeKok [Thu, 11 May 2017 13:57:33 +0000 (09:57 -0400)]
convert assert to run-time check.
Alan T. DeKok [Thu, 11 May 2017 13:50:31 +0000 (09:50 -0400)]
revert debian packages to 3.0.12 versions
Brice Schaffner [Thu, 11 May 2017 10:05:24 +0000 (10:05 +0000)]
Added missing Patton Vendor Attributes
Added some new Patton Vendor Attributes to the list.
These attributes are now supported on the newest Patton device running on Trinity software version 3.11.2.
Arran Cudbard-Bell [Thu, 11 May 2017 10:51:10 +0000 (06:51 -0400)]
Merge pull request #1974 from alanbuxey/patch-3
fixed variable to use the "&" prefix
Arran Cudbard-Bell [Thu, 11 May 2017 10:50:55 +0000 (06:50 -0400)]
Merge branch 'v3.0.x' into patch-3
Alan T. DeKok [Wed, 10 May 2017 18:34:25 +0000 (14:34 -0400)]
add aliases for well-known names
Alan T. DeKok [Wed, 10 May 2017 18:07:54 +0000 (14:07 -0400)]
set statment to NULL. Fixes #1983
Alan DeKok [Wed, 10 May 2017 14:00:08 +0000 (10:00 -0400)]
Merge pull request #1985 from alejandro-perez/v3.0.x
Fix memory leak in trustrouter.c
Alejandro Perez [Wed, 10 May 2017 09:46:55 +0000 (11:46 +0200)]
Fix memory leak in trustrouter.c
In the trustrouter.c file, servers were being created using
talloc_zero() instead of tls_server_conf_alloc(). Thus, the
destructor _tls_server_conf_free() which frees the SSL_CTX
object was not being called.
Alan DeKok [Tue, 9 May 2017 13:36:26 +0000 (09:36 -0400)]
Merge pull request #1982 from alejandro-perez/v3.0.x
Some fixes to the trustrouter related code
Alejandro Perez [Tue, 9 May 2017 12:33:31 +0000 (14:33 +0200)]
Set idle_timeout to 5s to all the dynamic home servers
Dynamically generated home servers get eventually replaced.
We want sockets using these servers to close as soon as possible, to make sure that whenever a pool is replaced, sockets using old ones will not last long (hopefully less than 300s).
Alejandro Perez [Tue, 9 May 2017 12:21:44 +0000 (14:21 +0200)]
Increase the amount of time a pool spends in the garbage list
Under specific circumstances (e.g high authentication load) a client might keep using an old pool since the socket did not expire. 60 seconds seems too low.
Increased to make sure we do not delete it while it is still being used.
Alejandro Perez [Tue, 9 May 2017 12:13:52 +0000 (14:13 +0200)]
Remove unnecessary check to update REALM
Existing code precluded a REALM from being updated if there were traffic within the last 5 minutes.
This is an error since when the TLS keys expire, the home server will reject client’s attempts to establish a connection, leading to up to 5 minutes of denied user authentications.
Alan Buxey [Tue, 9 May 2017 11:28:07 +0000 (12:28 +0100)]
Merge branch 'v3.0.x' into patch-3
Alan T. DeKok [Mon, 8 May 2017 20:41:25 +0000 (16:41 -0400)]
note recent changes
Alan T. DeKok [Mon, 8 May 2017 20:38:56 +0000 (16:38 -0400)]
disable internal OpenSSL cache
Alan T. DeKok [Mon, 8 May 2017 20:02:27 +0000 (16:02 -0400)]
8 and 9 have tags, too
Alan T. DeKok [Mon, 8 May 2017 20:00:01 +0000 (16:00 -0400)]
set S_IWUSER when creating the file, not later
Alan T. DeKok [Sun, 7 May 2017 16:56:57 +0000 (12:56 -0400)]
added one more attribute
Matthew Newton [Fri, 28 Apr 2017 11:17:08 +0000 (12:17 +0100)]
update detail reader documentation
Closes #1973
Alan Buxey [Thu, 27 Apr 2017 19:53:21 +0000 (20:53 +0100)]
fixed variable to use the "&" prefix
removal of yellow warning when running with this enabled
Alan T. DeKok [Fri, 21 Apr 2017 17:26:51 +0000 (13:26 -0400)]
Patch from Jeff Gehlbach
The problem is that "radiusObject" is defined with an OBJECT-IDENTITY
macro, but it needs to be done with OBJECT-TYPE (i.e. a leaf node) to be
eligible for use in the OBJECTS clause of a NOTIFICATION-TYPE macro.
I've gotten jsmiparser happy by making that change, declaring the
object's syntax to be SNMP-FRAMEWORK-MIB::SnmpAdminString and setting
its max-access to "accessible-for-notify". These changes are reflected
in the attached version of the MIB definition.
Arran Cudbard-Bell [Thu, 20 Apr 2017 21:44:25 +0000 (17:44 -0400)]
Merge pull request #1964 from alanbuxey/v3.0.x
stop rotation of the session database files
Alan Buxey [Thu, 20 Apr 2017 21:33:33 +0000 (22:33 +0100)]
stop rotation of the session database files
you really don't want to be rotating these under the server - they are
not normal log files but are stateful session files (used by various
utilities). these were removed from the logrotate some time ago but
appear to have crept back in.
Alan T. DeKok [Wed, 19 Apr 2017 18:42:34 +0000 (14:42 -0400)]
terminate && check VP
Alan T. DeKok [Wed, 19 Apr 2017 13:20:11 +0000 (09:20 -0400)]
account for trailing zero. Closes #1960
Alan T. DeKok [Tue, 18 Apr 2017 15:31:10 +0000 (11:31 -0400)]
Revert "these messages don't need to go to the main radiusd.log"
This reverts commit
1f1a02baae35080b4037af88c709ef6c0ccdd2d7.
Alan T. DeKok [Tue, 18 Apr 2017 13:42:53 +0000 (09:42 -0400)]
note recent changes
Alan T. DeKok [Tue, 18 Apr 2017 13:33:50 +0000 (09:33 -0400)]
these messages don't need to go to the main radiusd.log
Alan DeKok [Thu, 13 Apr 2017 16:33:44 +0000 (12:33 -0400)]
Merge pull request #1961 from alanbuxey/patch-8
corrected some types and grammar in comments
Alan Buxey [Thu, 13 Apr 2017 14:11:53 +0000 (15:11 +0100)]
corrected some types and grammar in comments
Alan T. DeKok [Fri, 7 Apr 2017 01:18:27 +0000 (21:18 -0400)]
Don't crash on unexpected regex. Closes #1959
Alan T. DeKok [Fri, 31 Mar 2017 13:56:35 +0000 (09:56 -0400)]
check for request->packet. Closes #1935
Alan T. DeKok [Fri, 31 Mar 2017 13:37:04 +0000 (09:37 -0400)]
Fix typo. Closes #1955
Alan T. DeKok [Fri, 31 Mar 2017 01:08:53 +0000 (21:08 -0400)]
note recent changes
Alan T. DeKok [Fri, 31 Mar 2017 01:07:07 +0000 (21:07 -0400)]
these attributes are byte, not integer. Closes #1954
Alan T. DeKok [Wed, 29 Mar 2017 15:30:48 +0000 (11:30 -0400)]
start of peapv1
Alan DeKok [Wed, 29 Mar 2017 14:56:20 +0000 (10:56 -0400)]
Merge pull request #1952 from spbnick/rlm_ldap_segfault_fix
Handle connection error in rlm_ldap_cacheable_groupobj
Alan T. DeKok [Wed, 29 Mar 2017 14:54:07 +0000 (10:54 -0400)]
Allow utc. Patch from Peter Lambrechtsen
Nikolai Kondrashov [Wed, 29 Mar 2017 07:43:14 +0000 (10:43 +0300)]
Handle connection error in rlm_ldap_cacheable_groupobj
Closes #1951
Alan T. DeKok [Tue, 28 Mar 2017 19:43:38 +0000 (15:43 -0400)]
cf_log_err(), not fr_strerror_printf()
Alan T. DeKok [Tue, 28 Mar 2017 15:15:44 +0000 (11:15 -0400)]
map_cast_from_hex() does not produce error messages
Alan T. DeKok [Mon, 27 Mar 2017 19:49:34 +0000 (15:49 -0400)]
note recent changes
Alan T. DeKok [Mon, 27 Mar 2017 19:48:49 +0000 (15:48 -0400)]
re-add SSL wrappers for freeing VPs and Certs.
because OpenSSL caches things at it's own pleasure...
Alan T. DeKok [Mon, 27 Mar 2017 18:07:32 +0000 (14:07 -0400)]
more cisco VPN attributes
Florian Bauhaus [Mon, 27 Mar 2017 07:47:13 +0000 (09:47 +0200)]
Add Attribute 3076/85 (CVPN3000-Tunnel-Group-Lock)
http://www.cisco.com/c/en/us/support/docs/security/ios-easy-vpn/117634-configure-asa-00.html
Alan T. DeKok [Mon, 20 Mar 2017 15:58:33 +0000 (11:58 -0400)]
note recent changes
Alan T. DeKok [Mon, 20 Mar 2017 15:24:11 +0000 (11:24 -0400)]
Search from the beginning for altname. Closes #1946
Alan T. DeKok [Fri, 17 Mar 2017 14:14:21 +0000 (10:14 -0400)]
Allow no cert when psk is configured
Alan T. DeKok [Thu, 16 Mar 2017 14:25:47 +0000 (10:25 -0400)]
remove outdated link
Alan T. DeKok [Tue, 14 Mar 2017 23:44:43 +0000 (19:44 -0400)]
Ensure that error is always initialized
Alan T. DeKok [Tue, 14 Mar 2017 23:41:13 +0000 (19:41 -0400)]
Remove always-false condition from cf_item_parse
Alan T. DeKok [Tue, 14 Mar 2017 23:40:20 +0000 (19:40 -0400)]
Remove always-false condition in rlm_eap_fast
Alan T. DeKok [Tue, 14 Mar 2017 23:35:53 +0000 (19:35 -0400)]
return RLM_MODULE_FAIL for default switch statement
Alan T. DeKok [Tue, 14 Mar 2017 23:30:02 +0000 (19:30 -0400)]
close open FDs on error, and use error path in more situations
Alan T. DeKok [Tue, 14 Mar 2017 23:27:02 +0000 (19:27 -0400)]
remove unused variable
Alan DeKok [Tue, 14 Mar 2017 23:14:11 +0000 (19:14 -0400)]
Merge pull request #1941 from spbnick/openssl_1_1_cert_perms_fix
Relax OpenSSL permissions for default key files
Nikolai Kondrashov [Tue, 14 Mar 2017 12:55:57 +0000 (14:55 +0200)]
Relax OpenSSL permissions for default key files
Recent versions of OpenSSL appear to create keys with owner-only
permissions. Allow owning group to read the created default key files
in raddb/certs, so that they stay the same as with older OpenSSL, and
that the server can read its key.
Alan T. DeKok [Sat, 11 Mar 2017 15:50:05 +0000 (10:50 -0500)]
port ranges haven't been supported for years
Alan T. DeKok [Fri, 10 Mar 2017 14:14:45 +0000 (09:14 -0500)]
request->packet cannot be NULL. Helps with #1935
Alan T. DeKok [Fri, 10 Mar 2017 14:13:34 +0000 (09:13 -0500)]
Allo session resumption for RadSec connectins. Closes #1936
Alan T. DeKok [Fri, 10 Mar 2017 14:11:03 +0000 (09:11 -0500)]
Coverity. Closes #1937
Alan T. DeKok [Wed, 8 Mar 2017 22:12:24 +0000 (17:12 -0500)]
more checks for client certificate expiration
Alan T. DeKok [Wed, 8 Mar 2017 14:22:47 +0000 (09:22 -0500)]
Remove microseconds from %S. Closes #1934
Alan T. DeKok [Tue, 7 Mar 2017 18:51:59 +0000 (13:51 -0500)]
note recent changes
Alan T. DeKok [Tue, 7 Mar 2017 18:50:09 +0000 (13:50 -0500)]
enforce TLS client certificate expiration on session resumption.
Alan DeKok [Tue, 7 Mar 2017 18:18:11 +0000 (13:18 -0500)]
Merge pull request #1933 from spaetow/patch-1
Add enhanced checks to avoid targeted_id_salt leakage over %, {, and } in the salt
Stefan Paetow [Tue, 7 Mar 2017 17:01:11 +0000 (17:01 +0000)]
Update moonshot-targeted-ids
Alan DeKok [Tue, 7 Mar 2017 15:33:48 +0000 (10:33 -0500)]
Merge pull request #1931 from sjbronner/patch-1
Fix command for linking modules in mods-enabled.
Alan T. DeKok [Tue, 7 Mar 2017 14:24:23 +0000 (09:24 -0500)]
bump for 3.0.14
Alan T. DeKok [Tue, 7 Mar 2017 14:22:10 +0000 (09:22 -0500)]
radtest should use Cleartext-Password for EAP
Sebastian J. Bronner [Tue, 7 Mar 2017 09:07:49 +0000 (10:07 +0100)]
Fix command for linking modules in mods-enabled.
Running `ln -s mods-available/foo mods-enabled/foo` will result in a dead link: `mods-enabled/foo` will point to `mods-enabled/mods-available/foo`, which doesn't exist. The link is relative from its location, not from the current directory from which it was created.
The easiest method that allows using tab completion is to link from within `mods-enabled`. The second parameter to `ln` can be left off in that case, as well. This is the change I have proposed. Another alternative would be to run `ln -s ../mods-available/foo mods-enabled/foo` from the `raddb` directory.
Alan T. DeKok [Mon, 6 Mar 2017 13:58:04 +0000 (08:58 -0500)]
note recent changes
Alan T. DeKok [Mon, 6 Mar 2017 12:31:08 +0000 (07:31 -0500)]
add missing \n
Alan T. DeKok [Sun, 5 Mar 2017 15:51:54 +0000 (10:51 -0500)]
note recent changes
Alan T. DeKok [Sun, 5 Mar 2017 13:51:27 +0000 (08:51 -0500)]
print summary if asked to do summary. Even without -x