Alan T. DeKok [Wed, 1 Jul 2009 07:17:31 +0000 (09:17 +0200)]
Updates as posted by David Hobley
Alan T. DeKok [Tue, 30 Jun 2009 14:57:42 +0000 (16:57 +0200)]
If the previous evaluation failed, don't process '!'
This catches the case of ((expr1) && !(expr2)), where it
would still process expr2 if expr1 failed.
Alan T. DeKok [Thu, 25 Jun 2009 18:57:00 +0000 (20:57 +0200)]
Remove bad assertion
Alan T. DeKok [Fri, 19 Jun 2009 14:02:24 +0000 (16:02 +0200)]
Fix typos
Alan T. DeKok [Fri, 19 Jun 2009 09:57:44 +0000 (11:57 +0200)]
A number of fixes for the DHCP code.
- send server identifier in siaddr field, too
- find message-type option anywhere in the packet, not just
at the start
- respond to unicast packets that have yiaddr == giaddr == 0
Alan T. DeKok [Wed, 17 Jun 2009 10:35:04 +0000 (12:35 +0200)]
Sort attributes, and print times as offsets
Alan T. DeKok [Wed, 17 Jun 2009 06:26:27 +0000 (08:26 +0200)]
Note recent changes
Alan T. DeKok [Wed, 17 Jun 2009 05:35:43 +0000 (07:35 +0200)]
Document Cleartext-Password
Alan T. DeKok [Wed, 17 Jun 2009 05:34:18 +0000 (07:34 +0200)]
Allow for overload, to read packets as fast as possible
Alan T. DeKok [Tue, 16 Jun 2009 14:39:57 +0000 (16:39 +0200)]
Removed requirement for DHCP to have clients
Alan T. DeKok [Tue, 16 Jun 2009 14:38:02 +0000 (16:38 +0200)]
Added udpfromto support for sending, too
Alan T. DeKok [Tue, 16 Jun 2009 13:55:08 +0000 (15:55 +0200)]
Added the ability to selectively mark a module as alive/dead
This is useful for when you KNOW that a server is down for a long
time, but you don't want to edit your configuration.
Alan T. DeKok [Tue, 16 Jun 2009 12:52:40 +0000 (14:52 +0200)]
Option to suppress packet contents
Alan T. DeKok [Tue, 16 Jun 2009 12:22:47 +0000 (14:22 +0200)]
Make radsniff more useful.
It now prints out LESS information, like the RADIUS filters && secret.
That information can be printed out using '-X' (should be -x)
Fixed pointer type for IP, to catch alignment issues.
use data + size, NOT ethernet + size
Cleaned up output so it's easier to read, and includes timestamps.
Added packet tree for filters. IF there's a filter, AND it matches
a request packet, THEN also print out the reply packet for that request
Alan T. DeKok [Mon, 15 Jun 2009 14:50:12 +0000 (16:50 +0200)]
Updated to apply packet src/dst rules BEFORE printing header out
Otherwise, debugging mode prints out the wrong information
Alan T. DeKok [Mon, 15 Jun 2009 14:39:39 +0000 (16:39 +0200)]
Make it work on Mac OS X
Alan T. DeKok [Mon, 15 Jun 2009 12:23:12 +0000 (14:23 +0200)]
Fix stupid typo
Alan T. DeKok [Mon, 15 Jun 2009 09:41:15 +0000 (11:41 +0200)]
Fixed typo
Alan T. DeKok [Mon, 15 Jun 2009 08:48:51 +0000 (10:48 +0200)]
Document how to filter access-challenges
Alan T. DeKok [Mon, 15 Jun 2009 07:51:38 +0000 (09:51 +0200)]
Run packet through processing ONLY if we have a reply
Alan T. DeKok [Sun, 14 Jun 2009 06:25:52 +0000 (08:25 +0200)]
Hack the dhcp offset
The dictionary files don't agree with the code, so we've got to
fix the code
Alan T. DeKok [Thu, 11 Jun 2009 08:38:24 +0000 (10:38 +0200)]
More debugging messages
Alan T. DeKok [Thu, 11 Jun 2009 08:37:51 +0000 (10:37 +0200)]
More debugging messages
Alan T. DeKok [Thu, 11 Jun 2009 07:55:48 +0000 (09:55 +0200)]
Include chillispot dictionary
Alan T. DeKok [Tue, 9 Jun 2009 07:46:29 +0000 (09:46 +0200)]
Filter Access-Challenge packets, too
Alan T. DeKok [Sat, 6 Jun 2009 07:42:40 +0000 (09:42 +0200)]
Some clients end option 53 buried inside of the packet.
Pointed out on the list by Martin Lorentz
Alan T. DeKok [Tue, 2 Jun 2009 08:35:38 +0000 (10:35 +0200)]
Mark the proxy mutex as being recursive
Some systems needs this to avoid deadlocks. Others (Linux) don't
Alan T. DeKok [Mon, 1 Jun 2009 22:07:01 +0000 (00:07 +0200)]
Copy the User-Name by value
The previous method treated the User-Name as a string, and parsed it
to create the User-Name for the reply. However... if that happens,
it SHOULD print the User-Name to a string, and then parse that.
That way things like 'FOO\tbar' will get escaped to 'FOO\\tbar',
and therefore parsed properly.
Or, we could just copy the contents verbatim, which is what we did
Alan T. DeKok [Sat, 30 May 2009 07:40:05 +0000 (09:40 +0200)]
Suppress more ping check none
If the home server is zombie, and status_check=none, don't ping it
Alan T. DeKok [Wed, 27 May 2009 12:02:54 +0000 (14:02 +0200)]
Fixe typo
Alan T. DeKok [Wed, 27 May 2009 10:06:47 +0000 (12:06 +0200)]
Read all of the packet using MSG_PEEK for dynamic clients
Alan T. DeKok [Tue, 26 May 2009 14:30:14 +0000 (16:30 +0200)]
Fix typo in last commit
Alan T. DeKok [Tue, 26 May 2009 14:11:15 +0000 (16:11 +0200)]
Don't over-ride NAK with ACK
Alan T. DeKok [Tue, 26 May 2009 13:00:41 +0000 (15:00 +0200)]
Don't walk over empty trees
Alan T. DeKok [Tue, 26 May 2009 08:56:11 +0000 (10:56 +0200)]
"perl -MExtUtils::Embed -e ldopts" LIES to us
So... check if the lying liar is lying. If so, complain, and
refuse to build the module.
i.e. it says "Use -lperl to link!" But there's no "libperl.so"
on the system. And the upstream developers don't see a problem
with Perl lying to the applications. This means that we have to
check for liars, and to work around bugs in other peoples software
Alan T. DeKok [Tue, 26 May 2009 08:44:35 +0000 (10:44 +0200)]
Look for <ruby.h>, and refuse to build without it
Alan T. DeKok [Tue, 26 May 2009 08:41:30 +0000 (10:41 +0200)]
Fixed typo in recv/send coa
Alan T. DeKok [Sun, 24 May 2009 16:19:43 +0000 (18:19 +0200)]
Check for misconfigured systems
Alan T. DeKok [Sun, 24 May 2009 16:18:50 +0000 (18:18 +0200)]
Add notes
Alan T. DeKok [Sun, 24 May 2009 16:16:45 +0000 (18:16 +0200)]
Use now(), not now
Alan T. DeKok [Sat, 23 May 2009 09:59:46 +0000 (11:59 +0200)]
Automatic proxy listeners are created last
Alan T. DeKok [Sat, 23 May 2009 09:53:42 +0000 (11:53 +0200)]
Allow for IPv6 src_ipaddr in home server
Alan T. DeKok [Sat, 23 May 2009 09:53:24 +0000 (11:53 +0200)]
Print more descriptive error message
Alan T. DeKok [Sat, 23 May 2009 07:08:43 +0000 (09:08 +0200)]
Have the server automatically create proxy listeners
When src_ipaddr is set.
Also fix a bug in parsing the src IP address. For now, it's not
IPv6 capable (sorry)
Alan T. DeKok [Thu, 21 May 2009 15:08:29 +0000 (17:08 +0200)]
Added -I to read from filename
Alan T. DeKok [Thu, 21 May 2009 14:50:49 +0000 (16:50 +0200)]
Missed this in the last commit
Alan T. DeKok [Thu, 21 May 2009 13:58:44 +0000 (15:58 +0200)]
Allow src_ipaddr to be specified for home servers
Alan T. DeKok [Thu, 21 May 2009 12:55:06 +0000 (14:55 +0200)]
Minor comments updated
Niko Tyni [Wed, 20 May 2009 09:11:19 +0000 (12:11 +0300)]
make_passwd: only use 'inlen' bytes of the input string
In some situations (at least a roundtrip through the rlm_perl module)
the User-Password value pair can have extra non-null bytes at the end
so that strlen(vp->data.strvalue) > vp->length.
These extra bytes shold not be used by make_passwd to construct the
Message-Authenticator, so copy just 'inlen' bytes of the input string
before rounding up the length.
Alan T. DeKok [Wed, 20 May 2009 11:52:28 +0000 (13:52 +0200)]
Increase default attribute size to 64
Alan T. DeKok [Tue, 19 May 2009 07:11:56 +0000 (09:11 +0200)]
The server can now listen on CoA ports.
Alan T. DeKok [Tue, 19 May 2009 07:11:06 +0000 (09:11 +0200)]
Added event handlers for CoA
The listen section will be next
Alan T. DeKok [Tue, 19 May 2009 07:09:56 +0000 (09:09 +0200)]
Add documentation and examples for CoA
Alan T. DeKok [Tue, 19 May 2009 06:56:33 +0000 (08:56 +0200)]
Added send/recv CoA methods to the server.
Many modules have been updated to be able to process CoA packets.
The server core has been updated to process CoA packets. However,
it does not yet actually listen on a CoA port.
Alan T. DeKok [Mon, 18 May 2009 12:16:38 +0000 (14:16 +0200)]
Run code if proxy is defined, too
Alan T. DeKok [Mon, 18 May 2009 12:16:26 +0000 (14:16 +0200)]
Include udpfromto.h
Alan T. DeKok [Mon, 18 May 2009 12:15:38 +0000 (14:15 +0200)]
Now that we've released 2.1.6, updated to 2.1.7
Alan T. DeKok [Mon, 18 May 2009 11:13:55 +0000 (13:13 +0200)]
Corrected date
Alan T. DeKok [Mon, 18 May 2009 11:12:30 +0000 (13:12 +0200)]
Fix '=='
Alan T. DeKok [Thu, 14 May 2009 07:42:54 +0000 (09:42 +0200)]
Finalize for 2.1.6 release
Alan T. DeKok [Wed, 13 May 2009 06:52:09 +0000 (08:52 +0200)]
More typos
Alan T. DeKok [Wed, 13 May 2009 06:51:53 +0000 (08:51 +0200)]
Corrected typo in last commit
Alan T. DeKok [Tue, 12 May 2009 19:26:20 +0000 (21:26 +0200)]
Return from function
Alan T. DeKok [Tue, 12 May 2009 18:45:24 +0000 (20:45 +0200)]
Remove two unneeded header files
Alan T. DeKok [Tue, 12 May 2009 18:43:22 +0000 (20:43 +0200)]
Include rad_assert.h to define rad_assert
Alan T. DeKok [Tue, 12 May 2009 10:29:33 +0000 (12:29 +0200)]
Fixed typo
Alan T. DeKok [Tue, 12 May 2009 08:59:26 +0000 (10:59 +0200)]
Added notes on certificate compatibility
Alan T. DeKok [Tue, 12 May 2009 06:50:12 +0000 (08:50 +0200)]
Added policy up/down
Alan T. DeKok [Tue, 12 May 2009 06:38:20 +0000 (08:38 +0200)]
A number of fixes to make it work
- reset signal handlers to NULL just before any sleep, which
allows us to exit
- save our PID file along with radiusd.pid
- correct minor typos
- automatically figure out which arguments to pass to "tail"
Alan T. DeKok [Mon, 11 May 2009 15:07:44 +0000 (17:07 +0200)]
This corrects the typo (sigh)
Alan T. DeKok [Mon, 11 May 2009 13:59:10 +0000 (15:59 +0200)]
Corrected typo
Validate reply against packet, not against reply
Alan T. DeKok [Sun, 10 May 2009 17:33:32 +0000 (19:33 +0200)]
Moved verifiation of proxy responses to earlier in the packet handling
This slows down the main server thread a bit, but means that we
catch attackers earlier, i.e. before pushing a request to a
child thread.
Alan T. DeKok [Sun, 10 May 2009 17:26:57 +0000 (19:26 +0200)]
Added event wrapper around request_free
This function takes care of removing the request from the various
hashes && event lists
Alan T. DeKok [Sun, 10 May 2009 10:49:33 +0000 (12:49 +0200)]
Don't touch request after it was proxied
Alan T. DeKok [Fri, 8 May 2009 22:40:05 +0000 (00:40 +0200)]
Portability fixes
tail -n is in /usr/xpg4/bin on Solaris.
date +%s is *BSD && Linux, but not Solaris. Work around this for now...
Alan T. DeKok [Fri, 8 May 2009 15:17:26 +0000 (17:17 +0200)]
Fix radwatch for "wait" exit codes on Solaris
Alan T. DeKok [Fri, 8 May 2009 13:40:07 +0000 (15:40 +0200)]
Expose radius_get_vp, and make switch {} use it
This allows bare words to be used for switch statements. If the
statement is a bare word, the server looks for a VALUE_PAIR of that
name, and prints its value.
Alan T. DeKok [Fri, 8 May 2009 13:20:26 +0000 (15:20 +0200)]
Corrected typo
Alan T. DeKok [Fri, 8 May 2009 13:00:41 +0000 (15:00 +0200)]
More LLVM checks
Alan T. DeKok [Fri, 8 May 2009 12:49:39 +0000 (14:49 +0200)]
Minor changes in "remove from proxy hash"
This avoids esoteric race conditions that no one has seen in practice
Alan T. DeKok [Fri, 8 May 2009 11:05:46 +0000 (13:05 +0200)]
Catch invalid ACKs
Alan T. DeKok [Fri, 8 May 2009 10:53:02 +0000 (12:53 +0200)]
Fix issues found by LLVM checker.
These are mostly dead stores, etc.
Alan T. DeKok [Thu, 7 May 2009 10:28:12 +0000 (12:28 +0200)]
Updated these to 2.1.6, too
Alan T. DeKok [Thu, 7 May 2009 10:26:51 +0000 (12:26 +0200)]
Started 2.1.6
Alan T. DeKok [Thu, 7 May 2009 10:14:26 +0000 (12:14 +0200)]
Added ability to send mail when something goes wrong
This is rate-limited to once per hour, and includes the last
portion of the log file.
Alan T. DeKok [Thu, 7 May 2009 09:52:41 +0000 (11:52 +0200)]
Fixed sleep to be in one location.
Alan T. DeKok [Thu, 7 May 2009 08:55:58 +0000 (10:55 +0200)]
Check before dereference
Alan T. DeKok [Thu, 7 May 2009 08:43:27 +0000 (10:43 +0200)]
Add option "include_length" for TTLS, too.
We've always set it to "yes" in the past, by inheriting the
value from the TLS configuration. In contrast, PEAP always sets it
to "no".
However... RFC 5281 says that we should set it to "no". Since the
previous code works with everyone, we don't want to change the
defaults. But we DO add the flag that allows it to be RFC compliant.y
Alan T. DeKok [Wed, 6 May 2009 15:01:40 +0000 (17:01 +0200)]
Initialize variables on all paths...
Alan T. DeKok [Wed, 6 May 2009 14:55:13 +0000 (16:55 +0200)]
Added ability to do "command ?"
this shows the help for the command.
Alan T. DeKok [Tue, 5 May 2009 19:30:38 +0000 (21:30 +0200)]
Update to do a LOT more checking, and to NOT send email.
Sending email is bad, as it wasn't rate limited. This new script
checks for a lot more conditions, including HUP and TERM sent
to the script itself.
Alan T. DeKok [Tue, 5 May 2009 12:51:12 +0000 (14:51 +0200)]
Exit with error on more signals
Alan T. DeKok [Tue, 5 May 2009 12:12:02 +0000 (14:12 +0200)]
Include more header files in the default install
Alan T. DeKok [Mon, 4 May 2009 14:14:47 +0000 (16:14 +0200)]
Fix double free on exit
Alan T. DeKok [Fri, 1 May 2009 16:32:39 +0000 (18:32 +0200)]
Don't mark pools for freeing twice
Alan T. DeKok [Wed, 29 Apr 2009 15:04:55 +0000 (17:04 +0200)]
Don't force reject if the home server doesn't respond.
The main event handler already does this, so there's no need for
us to do it, too.
Alan T. DeKok [Wed, 29 Apr 2009 15:02:11 +0000 (17:02 +0200)]
When not responding, wait longer for cleanups.
wait max_request_time, not cleanup_delay to clean up packets
that we're not responding to. This means that we don't clean up
after 5s, and the re-process the packet.
Instead, we just look at the cached packet, and don't respond
Alan T. DeKok [Wed, 29 Apr 2009 12:36:47 +0000 (14:36 +0200)]
Updates
Alan T. DeKok [Wed, 29 Apr 2009 12:34:13 +0000 (14:34 +0200)]
Cache modcallables for authorize, etc. for minor speed
Alan T. DeKok [Wed, 29 Apr 2009 11:26:58 +0000 (13:26 +0200)]
Print out more server {} around debugging messages