Alan T. DeKok [Tue, 14 Mar 2017 23:30:02 +0000 (19:30 -0400)]
close open FDs on error, and use error path in more situations
Alan T. DeKok [Tue, 14 Mar 2017 23:27:02 +0000 (19:27 -0400)]
remove unused variable
Alan DeKok [Tue, 14 Mar 2017 23:14:11 +0000 (19:14 -0400)]
Merge pull request #1941 from spbnick/openssl_1_1_cert_perms_fix
Relax OpenSSL permissions for default key files
Nikolai Kondrashov [Tue, 14 Mar 2017 12:55:57 +0000 (14:55 +0200)]
Relax OpenSSL permissions for default key files
Recent versions of OpenSSL appear to create keys with owner-only
permissions. Allow owning group to read the created default key files
in raddb/certs, so that they stay the same as with older OpenSSL, and
that the server can read its key.
Alan T. DeKok [Sat, 11 Mar 2017 15:50:05 +0000 (10:50 -0500)]
port ranges haven't been supported for years
Alan T. DeKok [Fri, 10 Mar 2017 14:14:45 +0000 (09:14 -0500)]
request->packet cannot be NULL. Helps with #1935
Alan T. DeKok [Fri, 10 Mar 2017 14:13:34 +0000 (09:13 -0500)]
Allo session resumption for RadSec connectins. Closes #1936
Alan T. DeKok [Fri, 10 Mar 2017 14:11:03 +0000 (09:11 -0500)]
Coverity. Closes #1937
Alan T. DeKok [Wed, 8 Mar 2017 22:12:24 +0000 (17:12 -0500)]
more checks for client certificate expiration
Alan T. DeKok [Wed, 8 Mar 2017 14:22:47 +0000 (09:22 -0500)]
Remove microseconds from %S. Closes #1934
Alan T. DeKok [Tue, 7 Mar 2017 18:51:59 +0000 (13:51 -0500)]
note recent changes
Alan T. DeKok [Tue, 7 Mar 2017 18:50:09 +0000 (13:50 -0500)]
enforce TLS client certificate expiration on session resumption.
Alan DeKok [Tue, 7 Mar 2017 18:18:11 +0000 (13:18 -0500)]
Merge pull request #1933 from spaetow/patch-1
Add enhanced checks to avoid targeted_id_salt leakage over %, {, and } in the salt
Stefan Paetow [Tue, 7 Mar 2017 17:01:11 +0000 (17:01 +0000)]
Update moonshot-targeted-ids
Alan DeKok [Tue, 7 Mar 2017 15:33:48 +0000 (10:33 -0500)]
Merge pull request #1931 from sjbronner/patch-1
Fix command for linking modules in mods-enabled.
Alan T. DeKok [Tue, 7 Mar 2017 14:24:23 +0000 (09:24 -0500)]
bump for 3.0.14
Alan T. DeKok [Tue, 7 Mar 2017 14:22:10 +0000 (09:22 -0500)]
radtest should use Cleartext-Password for EAP
Sebastian J. Bronner [Tue, 7 Mar 2017 09:07:49 +0000 (10:07 +0100)]
Fix command for linking modules in mods-enabled.
Running `ln -s mods-available/foo mods-enabled/foo` will result in a dead link: `mods-enabled/foo` will point to `mods-enabled/mods-available/foo`, which doesn't exist. The link is relative from its location, not from the current directory from which it was created.
The easiest method that allows using tab completion is to link from within `mods-enabled`. The second parameter to `ln` can be left off in that case, as well. This is the change I have proposed. Another alternative would be to run `ln -s ../mods-available/foo mods-enabled/foo` from the `raddb` directory.
Alan T. DeKok [Mon, 6 Mar 2017 13:58:04 +0000 (08:58 -0500)]
note recent changes
Alan T. DeKok [Mon, 6 Mar 2017 12:31:08 +0000 (07:31 -0500)]
add missing \n
Alan T. DeKok [Sun, 5 Mar 2017 15:51:54 +0000 (10:51 -0500)]
note recent changes
Alan T. DeKok [Sun, 5 Mar 2017 13:51:27 +0000 (08:51 -0500)]
print summary if asked to do summary. Even without -x
Alan T. DeKok [Fri, 3 Mar 2017 14:32:49 +0000 (09:32 -0500)]
fr_log_fp ,ay be NULL. Closes #1926
Alan T. DeKok [Fri, 3 Mar 2017 14:22:10 +0000 (09:22 -0500)]
rely on talloc for certs, too
Alan T. DeKok [Fri, 3 Mar 2017 14:20:20 +0000 (09:20 -0500)]
Don't double free VPs. Fixes #1927
Alan T. DeKok [Tue, 28 Feb 2017 18:23:26 +0000 (13:23 -0500)]
document IPv6 addresses
Alan T. DeKok [Tue, 28 Feb 2017 18:11:31 +0000 (13:11 -0500)]
quiet compiler
Nikolai Kondrashov [Tue, 28 Feb 2017 17:39:45 +0000 (18:39 +0100)]
Fix buffer overflow in fr_pton_port
Alan T. DeKok [Mon, 27 Feb 2017 19:23:40 +0000 (14:23 -0500)]
note recent changes
Alan DeKok [Mon, 27 Feb 2017 18:42:04 +0000 (13:42 -0500)]
Merge pull request #1592 from spbnick/dlopen_actual_libpython
Dlopen the actual linked libpython
Alan T. DeKok [Mon, 27 Feb 2017 18:31:31 +0000 (13:31 -0500)]
Document python_path and gotchas. Addresses #1845
Alan T. DeKok [Fri, 24 Feb 2017 16:51:40 +0000 (11:51 -0500)]
add modules.sql.fail trigger. Fixes #1923
The connection pool knows when connections are opened / closed.
It doesn't know as much when a connection fails
Alan T. DeKok [Fri, 24 Feb 2017 16:49:41 +0000 (11:49 -0500)]
mod_conn_create should not be global
Alan T. DeKok [Fri, 24 Feb 2017 15:58:11 +0000 (10:58 -0500)]
set talloc ctx to handler
Alan T. DeKok [Fri, 24 Feb 2017 15:58:00 +0000 (10:58 -0500)]
set talloc parent to sock for thread safety
Alan T. DeKok [Fri, 24 Feb 2017 15:55:20 +0000 (10:55 -0500)]
recursive recursion is bad
Alan T. DeKok [Fri, 24 Feb 2017 13:11:07 +0000 (08:11 -0500)]
fmt may be NULL. Fixes #1922
Alan T. DeKok [Wed, 22 Feb 2017 20:00:33 +0000 (15:00 -0500)]
add usec resolution to %S. Fixes #1917
Alan T. DeKok [Wed, 22 Feb 2017 16:00:49 +0000 (11:00 -0500)]
typo
Alan T. DeKok [Wed, 22 Feb 2017 15:48:51 +0000 (10:48 -0500)]
better documentation for ipaddr & friends. Fixes #1921
Alan DeKok [Wed, 22 Feb 2017 14:37:33 +0000 (09:37 -0500)]
Merge pull request #1920 from spbnick/auth_type_system_removal
Remove mentions of Auth-Type = System from docs
Nikolai Kondrashov [Wed, 22 Feb 2017 12:36:05 +0000 (13:36 +0100)]
Remove mentions of Auth-Type = System from docs
Remove mentions of "Auth-Type = System" support from the manpages,
as it is removed.
Arran Cudbard-Bell [Tue, 21 Feb 2017 14:50:01 +0000 (14:50 +0000)]
Merge pull request #1919 from spbnick/fr_pton4_hostname_fix
Handle hostnames in fr_pton4/6
Nikolai Kondrashov [Fri, 17 Feb 2017 15:16:42 +0000 (16:16 +0100)]
Handle hostnames in fr_pton4/6
Make fr_pton4/6 handle hostnames longer than the longest address +
prefix.
Alan DeKok [Tue, 21 Feb 2017 01:52:40 +0000 (20:52 -0500)]
Merge pull request #1916 from spbnick/v3.0.x_openssl_1.1_fix_2
V3.0.x openssl 1.1 fix 2
Nikolai Kondrashov [Mon, 20 Feb 2017 13:40:52 +0000 (14:40 +0100)]
Check for EVP_CIPHER_CTX_new in rlm_eap_pwd
Switch to checking for EVP_CIPHER_CTX_new instead of EVP_cleanup to detect
presence of libcrypto in rlm_eap_pwd configure.ac, because EVP_cleanup was
removed as symbol from OpenSSL 1.1, and the check would always fail.
Previously only rlm_eap_fast configure.ac was switched.
Nikolai Kondrashov [Mon, 20 Feb 2017 15:45:46 +0000 (16:45 +0100)]
Switch rlm_eap_pwd to HMAC_CTX_new/free
Switch rlm_eap_pwd.c to using HMAC_CTX_new and HMAC_CTX_free to
allocate/free HMAC contexts, thus making it support OpenSSL v1.1.0.
Nikolai Kondrashov [Mon, 20 Feb 2017 13:26:57 +0000 (14:26 +0100)]
Use openssl dhparam instead of obsolete gendh
Use `openssl dhparam` command in raddb/certs/Makefile instead of the
obsolete (and removed in OpenSSL v1.1.0) `openssl gendh`.
Alan DeKok [Mon, 20 Feb 2017 13:36:00 +0000 (08:36 -0500)]
Merge pull request #1915 from spbnick/zero_char_pointer_compare_fix
Fix three cases of comparing pointer to zero char
Nikolai Kondrashov [Mon, 20 Feb 2017 13:04:06 +0000 (14:04 +0100)]
Fix three cases of comparing pointer to zero char
Fix three cases of comparing pointer to a zero character, where pointers
were apparently intended to be dereferenced first and then compared.
Found with the help of GCC 7 warnings.
Alan T. DeKok [Sat, 18 Feb 2017 17:11:05 +0000 (12:11 -0500)]
Dictionary from cnergee.
Which modifications so that the names don't conflict with
existing ones.
Alan T. DeKok [Thu, 16 Feb 2017 15:59:22 +0000 (10:59 -0500)]
suid down after fchown. Fixes #1914
Nikolai Kondrashov [Mon, 25 Apr 2016 15:58:53 +0000 (18:58 +0300)]
Dlopen the actual linked libpython
In rlm_python, if dl_iterate_phdr(3) is available, dlopen libpython
shared library at the actual path it was linked with on loading, instead
of with just its linker name (version-less SONAME).
This removes the need to have the linker name symlink (e.g.
"libpython2.7.so") in library directory, which is normally installed
only with the development packages. I.e. this removes the requirement of
having python-devel/libpython-dev installed, when loading rlm_python.
Alan T. DeKok [Wed, 15 Feb 2017 18:21:03 +0000 (13:21 -0500)]
Added systemd reload. Fixes #1662
v3.0.x has limited support for reload. While it limited, it
is possible. So supporting it is useful
Alan T. DeKok [Wed, 15 Feb 2017 15:57:33 +0000 (10:57 -0500)]
make the install process a little clearer
Alan T. DeKok [Wed, 15 Feb 2017 15:52:40 +0000 (10:52 -0500)]
pull openssl out as a macro
Alan T. DeKok [Wed, 15 Feb 2017 15:41:08 +0000 (10:41 -0500)]
remove extra assert. Addresses #1904
Alan DeKok [Tue, 14 Feb 2017 13:26:51 +0000 (08:26 -0500)]
Merge pull request #1859 from njm506/v3.0.x
v3.0.x: cherry-pick module/site symlink packaging changes from 4.0.x
Alan T. DeKok [Mon, 13 Feb 2017 20:53:35 +0000 (15:53 -0500)]
realms don't go into "server" sections
Alexander Clouter [Mon, 13 Feb 2017 17:10:16 +0000 (17:10 +0000)]
fix radrelay
Alan DeKok [Sun, 12 Feb 2017 14:17:48 +0000 (09:17 -0500)]
Merge pull request #1907 from virgofx/v3.0.x
Nomadix attribute fix for v3.0.x
Mark Johnson [Thu, 9 Feb 2017 20:15:37 +0000 (12:15 -0800)]
Updating Nomadix dictionary with missing attributes.
Alan DeKok [Wed, 8 Feb 2017 14:53:33 +0000 (09:53 -0500)]
Merge pull request #1902 from herwinw/v30x-debian-stretch
Added default-libmysqlclient-dev as build-depend in Debian
Alan T. DeKok [Wed, 8 Feb 2017 14:52:11 +0000 (09:52 -0500)]
add example for filtering Access-Challenge messages
Herwin Weststrate [Wed, 8 Feb 2017 07:30:22 +0000 (08:30 +0100)]
Added default-libmysqlclient-dev as build-depend in Debian
As an alternative for libmysqlclient-dev. This is required to build the
package under Debian Stretch.
Alan T. DeKok [Tue, 7 Feb 2017 20:04:38 +0000 (15:04 -0500)]
typo
Alan T. DeKok [Tue, 7 Feb 2017 19:32:00 +0000 (14:32 -0500)]
reject packets which contain multiple kinds of authentication protocols
Specifically, EAP and non-EAP packets.
In reality, no one should be caught by this.
Alan T. DeKok [Tue, 7 Feb 2017 15:43:06 +0000 (10:43 -0500)]
check handler before freeing it
Alan T. DeKok [Sun, 5 Feb 2017 14:38:34 +0000 (09:38 -0500)]
update hash based on client port, too
Alan T. DeKok [Sat, 4 Feb 2017 03:03:01 +0000 (22:03 -0500)]
note recent changes
Alan T. DeKok [Fri, 3 Feb 2017 22:29:18 +0000 (17:29 -0500)]
track TLS cache filename
And ensure it's deleted on failure.
Alan T. DeKok [Fri, 3 Feb 2017 22:17:24 +0000 (17:17 -0500)]
read the TLS data first, before the VPs
Matthew Newton [Thu, 2 Feb 2017 21:59:24 +0000 (21:59 +0000)]
Merge pull request #1896 from mcnewton/v3.0.x
systemd syslog.target is obsolete
Matthew Newton [Thu, 2 Feb 2017 21:10:43 +0000 (21:10 +0000)]
systemd syslog.target is obsolete
Arran Cudbard-Bell [Thu, 2 Feb 2017 10:19:34 +0000 (10:19 +0000)]
Update copyright year
Arran Cudbard-Bell [Thu, 2 Feb 2017 10:17:29 +0000 (10:17 +0000)]
Revert "Create the database by default..."
This reverts commit
70a41b507f36d1687dbf4b1457d62973b9a84ad0.
Arran Cudbard-Bell [Thu, 2 Feb 2017 10:13:22 +0000 (10:13 +0000)]
Merge pull request #1894 from herwinw/v30x_rlm_sql_mysql_whitespace
Removed combination of space+tab in rlm_sql_mysql.c
Herwin Weststrate [Thu, 2 Feb 2017 07:28:21 +0000 (08:28 +0100)]
Removed combination of space+tab in rlm_sql_mysql.c
Replaced it with just a tab
Arran Cudbard-Bell [Wed, 1 Feb 2017 20:51:06 +0000 (20:51 +0000)]
Use the actual field lengths when creating the result array
Arran Cudbard-Bell [Wed, 1 Feb 2017 20:50:14 +0000 (20:50 +0000)]
Trim whitespace before searching for operation type
Arran Cudbard-Bell [Wed, 1 Feb 2017 20:44:00 +0000 (20:44 +0000)]
Create the database by default...
Alan DeKok [Wed, 1 Feb 2017 19:29:19 +0000 (14:29 -0500)]
Merge pull request #1893 from spaetow/patch-2
Update abfab_tr policy
Matthew Newton [Wed, 1 Feb 2017 15:56:00 +0000 (15:56 +0000)]
Merge pull request #1892 from mcnewton/v3.0.x
update kibana dashboard so it doesn't have to be imported twice
Stefan Paetow [Wed, 1 Feb 2017 14:22:06 +0000 (14:22 +0000)]
Update abfab-tr
Only set the service name when it doesn't exist (=), not overwrite it (:=)
Matthew Newton [Wed, 1 Feb 2017 13:54:55 +0000 (13:54 +0000)]
update kibana dashboard so it doesn't have to be imported twice
define the search before the visualisations
Alan T. DeKok [Wed, 1 Feb 2017 00:52:00 +0000 (19:52 -0500)]
fix typo. Fixes #1891
Alan T. DeKok [Wed, 1 Feb 2017 00:51:54 +0000 (19:51 -0500)]
more warnings
Stefan Paetow [Tue, 31 Jan 2017 17:22:30 +0000 (17:22 +0000)]
Update abfab-tr
Since there seem to be problems with the GSS-Acceptor-Host-Name occasionally, set it if it hasn't been set yet (and it's defined in the client definition). Also add the GSS-Acceptor-Service-Name if it hasn't been set, or override the one set.
Alan T. DeKok [Thu, 26 Jan 2017 20:34:44 +0000 (15:34 -0500)]
more debugging about the data we're reading
Alan T. DeKok [Thu, 26 Jan 2017 20:34:30 +0000 (15:34 -0500)]
don't write empty packets to the detail file
Alan T. DeKok [Wed, 25 Jan 2017 21:38:54 +0000 (16:38 -0500)]
debug for non-threaded too
Alan T. DeKok [Wed, 25 Jan 2017 21:14:36 +0000 (16:14 -0500)]
note recent changes
Alan T. DeKok [Wed, 25 Jan 2017 21:11:54 +0000 (16:11 -0500)]
print out packet type, contents, and reply for detail packets
Alan T. DeKok [Wed, 25 Jan 2017 21:11:37 +0000 (16:11 -0500)]
don't print out IP addresses for detail packets
Alan T. DeKok [Mon, 23 Jan 2017 18:54:10 +0000 (13:54 -0500)]
note recent changes
Matthew Newton [Fri, 20 Jan 2017 16:26:15 +0000 (16:26 +0000)]
remove Kibana 3 dashboard, as it is now obsolete :(
Matthew Newton [Fri, 20 Jan 2017 16:25:48 +0000 (16:25 +0000)]
update elasticsearch/logstash examples so that they work with elastic stack v5
Alan T. DeKok [Wed, 18 Jan 2017 17:38:32 +0000 (12:38 -0500)]
note recent changes
Alan T. DeKok [Wed, 18 Jan 2017 17:37:46 +0000 (12:37 -0500)]
typo. Fixes #1882
Alan T. DeKok [Mon, 16 Jan 2017 15:25:49 +0000 (10:25 -0500)]
Add rule to catch BSDMake