Matthew Newton [Thu, 17 Sep 2015 23:36:41 +0000 (00:36 +0100)]
don't segfault when asked for help
print the help for the current command if there are no subcommands
to list
Arran Cudbard-Bell [Thu, 17 Sep 2015 17:56:35 +0000 (18:56 +0100)]
Merge pull request #1245 from jpereira/debian/logrotate1
Fix logrotate debian
Jorge Pereira [Thu, 17 Sep 2015 17:29:45 +0000 (14:29 -0300)]
Fix logrotate debian
Arran Cudbard-Bell [Thu, 17 Sep 2015 16:51:11 +0000 (17:51 +0100)]
No breaking changes in stable versions
Arran Cudbard-Bell [Thu, 17 Sep 2015 16:50:02 +0000 (17:50 +0100)]
Revert "if try to load a wrong client from SQL, don't start"
This is wrong, we don't introduce behaviour changes that will break people's deployments in stable versions of the server
Arran Cudbard-Bell [Thu, 17 Sep 2015 16:49:22 +0000 (17:49 +0100)]
Revert "logrotate: send a HUP after rotation"
This is wrong, copyrotate is the correct command to use
Alan T. DeKok [Thu, 17 Sep 2015 15:02:50 +0000 (11:02 -0400)]
note recent changes
Alan DeKok [Thu, 17 Sep 2015 15:02:35 +0000 (11:02 -0400)]
Merge pull request #1243 from jpereira/bug/debian-logrotate
debian: Fixing logrotate script
Jorge Pereira [Thu, 17 Sep 2015 14:27:21 +0000 (11:27 -0300)]
debian: Fixing logrotate script
Jorge Pereira [Thu, 17 Sep 2015 14:19:59 +0000 (11:19 -0300)]
logrotate: send a HUP after rotation
Alan T. DeKok [Thu, 17 Sep 2015 14:17:01 +0000 (10:17 -0400)]
More RFCs
Alan DeKok [Thu, 17 Sep 2015 13:09:07 +0000 (09:09 -0400)]
Merge pull request #1242 from jpereira/fix/wrong-client-sql
if has a wrong client-settings, don't rise!
Jorge Pereira [Thu, 17 Sep 2015 12:45:47 +0000 (09:45 -0300)]
if try to load a wrong client from SQL, don't start
Alan T. DeKok [Wed, 16 Sep 2015 19:17:34 +0000 (15:17 -0400)]
Accidentally committed
Alan T. DeKok [Wed, 16 Sep 2015 18:09:09 +0000 (14:09 -0400)]
note recent changes
Alan DeKok [Wed, 16 Sep 2015 18:36:14 +0000 (14:36 -0400)]
Merge pull request #1241 from jpereira/fix/xlat-space
xlat_explode: trim white space
Jorge Pereira [Wed, 16 Sep 2015 18:06:48 +0000 (15:06 -0300)]
xlat_explode: trim white space
Alan T. DeKok [Wed, 16 Sep 2015 17:15:40 +0000 (13:15 -0400)]
note recent changes
Alan T. DeKok [Wed, 16 Sep 2015 17:15:00 +0000 (13:15 -0400)]
Allow virtual attrs in switch. Fixes #1240
Alan T. DeKok [Wed, 16 Sep 2015 17:07:09 +0000 (13:07 -0400)]
Forgot a return...
Alan T. DeKok [Wed, 16 Sep 2015 16:47:37 +0000 (12:47 -0400)]
Be a bit more careful about thread transitions
Alan T. DeKok [Wed, 16 Sep 2015 00:58:46 +0000 (20:58 -0400)]
note recent changes
Alan T. DeKok [Wed, 16 Sep 2015 00:54:38 +0000 (20:54 -0400)]
Proxying to a bad destination is a failure.
Arran Cudbard-Bell [Tue, 15 Sep 2015 21:04:26 +0000 (22:04 +0100)]
Missed slash
Alan T. DeKok [Tue, 15 Sep 2015 16:01:17 +0000 (12:01 -0400)]
Remove extraneous debug
Arran Cudbard-Bell [Tue, 15 Sep 2015 14:06:43 +0000 (15:06 +0100)]
Package memcached
Arran Cudbard-Bell [Tue, 15 Sep 2015 13:53:52 +0000 (14:53 +0100)]
Revert "Include rlm_cache_memcached in spec file"
libmemcached on Centos is too old for this to work
Arran Cudbard-Bell [Tue, 15 Sep 2015 13:43:56 +0000 (14:43 +0100)]
Document and fix args
Alan T. DeKok [Tue, 15 Sep 2015 13:22:38 +0000 (09:22 -0400)]
Allow dots in policy / module names. Fixes #1237
Alan T. DeKok [Tue, 15 Sep 2015 13:09:37 +0000 (09:09 -0400)]
Lower the default pool size
Arran Cudbard-Bell [Mon, 14 Sep 2015 20:32:52 +0000 (21:32 +0100)]
Include rlm_cache_memcached in spec file
Arran Cudbard-Bell [Mon, 14 Sep 2015 20:29:50 +0000 (21:29 +0100)]
Merge pull request #1235 from FreeRADIUS/revert-1204-patch-1
Revert "Fix libs" - Only memcached will actually be built
Arran Cudbard-Bell [Mon, 14 Sep 2015 20:29:20 +0000 (21:29 +0100)]
Revert "Fix libs"
Arran Cudbard-Bell [Mon, 14 Sep 2015 17:27:36 +0000 (18:27 +0100)]
This was never backported
Arran Cudbard-Bell [Mon, 14 Sep 2015 17:20:03 +0000 (18:20 +0100)]
Update ChangeLog
Arran Cudbard-Bell [Mon, 14 Sep 2015 16:22:56 +0000 (17:22 +0100)]
No ocsp_ok label either
Arran Cudbard-Bell [Mon, 14 Sep 2015 16:21:21 +0000 (17:21 +0100)]
No skipped label in v3.0.x
Alan T. DeKok [Mon, 14 Sep 2015 16:02:37 +0000 (12:02 -0400)]
Try to open client socket in fr_server_domain_socket_perm()
Just like in fr_server_domain_socket_peercred()
Arran Cudbard-Bell [Mon, 14 Sep 2015 16:18:02 +0000 (17:18 +0100)]
Should skip the OCSP check
Arran Cudbard-Bell [Mon, 14 Sep 2015 16:13:41 +0000 (17:13 +0100)]
Typo
Alan T. DeKok [Mon, 14 Sep 2015 15:48:10 +0000 (11:48 -0400)]
Don't unlink socket if we can't open it
Alan T. DeKok [Mon, 14 Sep 2015 14:48:08 +0000 (10:48 -0400)]
Truncate to actual length, not by trailing zeros
Arran Cudbard-Bell [Sun, 13 Sep 2015 17:43:23 +0000 (18:43 +0100)]
If there's no OCSP URLs in the certificates, and we have a configured OCSP URL, we should fall back to that URL
Alan T. DeKok [Mon, 14 Sep 2015 12:51:09 +0000 (08:51 -0400)]
For encrypted attributes, set explicit length if given
for MS-CHAP-MPPE-Keys
Alan T. DeKok [Mon, 14 Sep 2015 12:50:00 +0000 (08:50 -0400)]
Set explicit length for MS-CHAP-MPPE-Key
Because it's encrypted with the same method as User-Password,
BUT it contains binary data. So it may have embedded zeros.
Which means the decoder needs to make it a fixed length,
instead of looking for zeros
Alan T. DeKok [Mon, 14 Sep 2015 12:47:56 +0000 (08:47 -0400)]
Enforce more restraints, and allow "octets[24] encrypt=1"
dict_addattr() can be called from places other than process_attribute()
so we move some of the checks to process_attribute()
This lets us do more checks on the "length" flag.
And to allow "octets[24] encrypt=1" for MS-CHAP-MPPE-Key.
Alan T. DeKok [Mon, 14 Sep 2015 12:21:40 +0000 (08:21 -0400)]
The MS-CHAP-MPPE-Keys attribute has 24 octets of data, not 32
This makes no difference to anyone, as the receiver will always
truncate it at 24 octets, and ignore the trailing zeros
Alan T. DeKok [Sun, 13 Sep 2015 14:30:32 +0000 (10:30 -0400)]
update explanation of what we're doing
Alan T. DeKok [Sun, 13 Sep 2015 14:30:11 +0000 (10:30 -0400)]
More debugging around session-state
Arran Cudbard-Bell [Sat, 12 Sep 2015 19:07:45 +0000 (20:07 +0100)]
Update ChangeLog
Alan T. DeKok [Sat, 12 Sep 2015 01:58:42 +0000 (21:58 -0400)]
note recent changes
Arran Cudbard-Bell [Fri, 11 Sep 2015 22:11:05 +0000 (23:11 +0100)]
Merge pull request #1231 from mcnewton/v3.0.x
small documentation fix/cleanups [ci skip]
Matthew Newton [Fri, 11 Sep 2015 22:07:27 +0000 (23:07 +0100)]
small documentation fix/cleanups
Arran Cudbard-Bell [Fri, 11 Sep 2015 17:04:31 +0000 (18:04 +0100)]
No need for if
Confusing because the rest of the frees don't use a condition
Alan T. DeKok [Fri, 11 Sep 2015 16:52:32 +0000 (12:52 -0400)]
Doxygen
Arran Cudbard-Bell [Fri, 11 Sep 2015 16:18:58 +0000 (17:18 +0100)]
Don't leak client_fd on error
Arran Cudbard-Bell [Fri, 11 Sep 2015 16:17:30 +0000 (17:17 +0100)]
Formatting
Alan T. DeKok [Fri, 11 Sep 2015 16:16:53 +0000 (12:16 -0400)]
Use fr_pair_list_mcopy... instead of fr_pair_list_move...
Alan T. DeKok [Fri, 11 Sep 2015 16:10:35 +0000 (12:10 -0400)]
Add fr_pair_list_mcopy_by_num()
Which is like fr_pair_list_move(), but does copy / delete
instead of talloc_steal.
The problem is that talloc_steal() keeps the original parent
context around for the lifetime of the VP being stolen. Which is
bad when the VP comes from a REQUEST, and is put into another
context, which lives for multiple seconds.
Alan T. DeKok [Fri, 11 Sep 2015 16:09:39 +0000 (12:09 -0400)]
Revert "Copy VPs instead of talloc_stealing them"
This reverts commit
a529c2d9bdef0f635fa10b2ab7e05527f95551b2.
There's a better fix
Alan T. DeKok [Fri, 11 Sep 2015 15:56:46 +0000 (11:56 -0400)]
Copy VPs instead of talloc_stealing them
Alan T. DeKok [Fri, 11 Sep 2015 14:33:17 +0000 (10:33 -0400)]
Check if the socket is in use before unlinking it
Arran Cudbard-Bell [Fri, 11 Sep 2015 14:13:03 +0000 (15:13 +0100)]
Add __packed__ to structs which cast over packet buffers
Alan T. DeKok [Fri, 11 Sep 2015 13:39:29 +0000 (09:39 -0400)]
note recent changes
Alan T. DeKok [Fri, 11 Sep 2015 13:18:33 +0000 (09:18 -0400)]
Syntax errors are errors, not assertions
Arran Cudbard-Bell [Fri, 11 Sep 2015 12:58:26 +0000 (13:58 +0100)]
Should be AF_UNSPEC, because we don't *know* what type of client IP we'll be parsing
Length should be -1.
Herwin Weststrate [Fri, 11 Sep 2015 06:06:10 +0000 (08:06 +0200)]
Remove second entry of Error-Cause in Access-Reject filter
This is effectively a revert of commit
caaca8da2eede537270a711742cc99f0ba854eb1.
Arran Cudbard-Bell [Fri, 11 Sep 2015 12:10:12 +0000 (13:10 +0100)]
Add support for "old" style clients back. This shouldn't be removed until v3.1.x.
Herwin Weststrate [Fri, 11 Sep 2015 07:28:39 +0000 (09:28 +0200)]
Prevent possible memleak in regex
There was a very small chance that preg was allocated but not freed. This is kind of a sequel to PR #1207.
Herwin Weststrate [Wed, 9 Sep 2015 13:12:20 +0000 (15:12 +0200)]
Optionally send rejects without a delay
Currently there is only one global option to set a delay to every Access-Reject packet: reject_delay. There are use cases where you want certain rejects to have no delay, while others should have a delay. An example might be using 802.1X on Cisco LAN Devices: If a client tries MAC authentication an Access-Reject can force it to switch to 802.1X, this is a reject you want to send without any delay. On the other hand, if the client tries 802.1X with a wrong password, you still want the reject to be delayed.
By setting a value to FreeRADIUS-Response-Delay(-USec) in reply, we overwrite the global delay. The maximum supported value is 10, larger values result in a delay of 10 seconds. A value of 0 removes the delay. Not having this attribute in control results in using the global delay. If both FreeRADIUS-Response-Delay and FreeRADIUS-Response-Delay-USec are set, the second one is ignored.
Herwin Weststrate [Thu, 10 Sep 2015 05:50:01 +0000 (07:50 +0200)]
Allow response_delay to be microseconds, too
This was already done with commit
1d1c50bb0c6f5f013b9680def4b7184ecb63f64b, but there was a second assertion that assumed the delay was at least 1 second.
Alan Buxey [Thu, 10 Sep 2015 19:26:28 +0000 (20:26 +0100)]
Update radiusd-example.txt
Alan Buxey [Thu, 10 Sep 2015 19:25:27 +0000 (20:25 +0100)]
Update xlat.c
Alan Buxey [Thu, 10 Sep 2015 19:24:30 +0000 (20:24 +0100)]
Update rlm_sqlippool
Alan Buxey [Thu, 10 Sep 2015 19:24:07 +0000 (20:24 +0100)]
Update vmpsd.conf.in
Alan Buxey [Thu, 10 Sep 2015 09:15:34 +0000 (10:15 +0100)]
Update expr
Arran Cudbard-Bell [Thu, 10 Sep 2015 08:46:15 +0000 (09:46 +0100)]
Check we're building with GLIBC before assuming the GNU version of strerror_r is present Closes #1222
Alan Buxey [Wed, 9 Sep 2015 19:42:01 +0000 (20:42 +0100)]
Update radiusd-example.txt
Alan Buxey [Wed, 9 Sep 2015 19:40:55 +0000 (20:40 +0100)]
Update xlat.c
Alan Buxey [Wed, 9 Sep 2015 19:39:46 +0000 (20:39 +0100)]
Update vmpsd.conf.in
Alan Buxey [Wed, 9 Sep 2015 19:37:42 +0000 (20:37 +0100)]
Update rlm_sqlippool
Alan T. DeKok [Wed, 9 Sep 2015 19:42:44 +0000 (15:42 -0400)]
compile warnings
Alan T. DeKok [Wed, 9 Sep 2015 19:16:28 +0000 (15:16 -0400)]
Don't allow %{rand} is we require %{rand:...}
Alan T. DeKok [Wed, 9 Sep 2015 17:40:31 +0000 (13:40 -0400)]
Count backslash - CHAR in node->len
Alan T. DeKok [Wed, 9 Sep 2015 17:26:55 +0000 (13:26 -0400)]
Typo
Arran Cudbard-Bell [Wed, 9 Sep 2015 16:20:46 +0000 (17:20 +0100)]
Merge pull request #1218 from mcnewton/v3.0.x
minor doc tweak from file move
Matthew Newton [Wed, 9 Sep 2015 16:17:12 +0000 (17:17 +0100)]
minor doc tweak from file move
Arran Cudbard-Bell [Wed, 9 Sep 2015 14:50:35 +0000 (15:50 +0100)]
Merge pull request #1217 from mcnewton/v3.0.x
add documentation for xlats in the expr module
Matthew Newton [Wed, 9 Sep 2015 14:47:30 +0000 (15:47 +0100)]
add documentation for xlats in the expr module
Alan T. DeKok [Wed, 9 Sep 2015 14:32:12 +0000 (10:32 -0400)]
Allow response delay in the response
Alan T. DeKok [Wed, 9 Sep 2015 14:16:20 +0000 (10:16 -0400)]
Allow response_delay to be microseconds, too
Alan T. DeKok [Wed, 9 Sep 2015 13:34:01 +0000 (09:34 -0400)]
ifdef out unused functions
Alan T. DeKok [Wed, 9 Sep 2015 13:21:55 +0000 (09:21 -0400)]
typo
Alan T. DeKok [Wed, 9 Sep 2015 13:18:50 +0000 (09:18 -0400)]
More fixes to use SSL_export_keying_material
Alan T. DeKok [Tue, 8 Sep 2015 17:45:32 +0000 (13:45 -0400)]
packet->proto is int, not unsigned int
Alan T. DeKok [Tue, 8 Sep 2015 17:30:03 +0000 (13:30 -0400)]
note recent changes
Alan T. DeKok [Tue, 8 Sep 2015 14:15:34 +0000 (10:15 -0400)]
Parse hex Ascend-Data-Filter correctly
Alan T. DeKok [Tue, 8 Sep 2015 14:13:58 +0000 (10:13 -0400)]
Use the input length for printing, not output length
Alan T. DeKok [Mon, 7 Sep 2015 00:44:24 +0000 (20:44 -0400)]
typos
Alan T. DeKok [Sun, 6 Sep 2015 18:52:52 +0000 (14:52 -0400)]
Debug TLVs when encoding, too