Linus Nordberg [Wed, 28 Aug 2013 11:48:49 +0000 (13:48 +0200)]
radsecproxy-1.6.5.
Linus Nordberg [Wed, 28 Aug 2013 11:48:49 +0000 (13:48 +0200)]
Have radmsg_copy_attrs() return error in all error cases.
Also when copying of the first attribute fails.
Linus Nordberg [Wed, 28 Aug 2013 11:48:49 +0000 (13:48 +0200)]
Make a _copy_ of the attributes when copying them.
Doh!
Closes RADSECPROXY-53.
Linus Nordberg [Wed, 28 Aug 2013 11:48:49 +0000 (13:48 +0200)]
radsecproxy-1.6.4
Linus Nordberg [Wed, 28 Aug 2013 11:48:49 +0000 (13:48 +0200)]
Keep Proxy-State attributes in all replies to clients.
Closes RADSECPROXY-52.
Linus Nordberg [Wed, 4 Sep 2013 13:52:27 +0000 (15:52 +0200)]
radsecproxy-1.6.3
Linus Nordberg [Wed, 4 Sep 2013 13:51:54 +0000 (15:51 +0200)]
Remove generated files (auto tools).
Some of these were revived in
4c163b1e bc they were supposedly not
generated when running autogen.sh. That's not the case (any more) so
let's avoid checking in generated files.
Note that these files will be included in tar balls made from make
dist.
Linus Nordberg [Mon, 2 Sep 2013 12:14:12 +0000 (14:14 +0200)]
radsecproxy-1.6.3-rc0
Linus Nordberg [Tue, 27 Aug 2013 11:35:51 +0000 (13:35 +0200)]
Update ChangeLog with two older bug fixes.
Linus Nordberg [Tue, 27 Aug 2013 11:25:53 +0000 (13:25 +0200)]
Improve warning message when failing to resolve a dynamic server config.
Linus Nordberg [Mon, 26 Aug 2013 15:02:07 +0000 (17:02 +0200)]
Time out on TLS clients not closing the connection properly.
Patch by Fabian Mauchle.
Linus Nordberg [Mon, 26 Aug 2013 14:52:14 +0000 (16:52 +0200)]
When timing out while reading from a TLS server, shutdown the socket properly.
Also signal the "client writer" (clientwr()).
Together, this should result in TLS connections being cleaned up properly.
Patch by Fabian Mauchle.
Linus Nordberg [Mon, 26 Aug 2013 14:42:44 +0000 (16:42 +0200)]
Don't wait for _writable_ when _reading_ an SSL socket.
Also, don't select() at all if SSL_pending() says there's data to
read.
Patch by Fabian Mauchle.
Linus Nordberg [Mon, 26 Aug 2013 13:32:13 +0000 (15:32 +0200)]
Don't free struct clsrvconf members rewritein and rewriteout.
They are pointers into static struct hash *rewriteconfs and should
live forever.
Patch by Fabian Mauchle.
Linus Nordberg [Mon, 26 Aug 2013 13:04:28 +0000 (15:04 +0200)]
Update ChangeLog with the last three bug fixes/ehancements.
Also, in a lame attempt att giving credit for last commit where I
failed at doing that:
4920ff44 is a patch from Fabian Mauchle.
Linus Nordberg [Mon, 26 Aug 2013 12:25:51 +0000 (14:25 +0200)]
Purge the duplication cache once per received packet.
Linus Nordberg [Mon, 26 Aug 2013 12:02:56 +0000 (14:02 +0200)]
Add Fabian Mauchle to AUTHORS.
Linus Nordberg [Mon, 26 Aug 2013 10:04:07 +0000 (12:04 +0200)]
Return free memory more aggressively.
Have free(3) call sbrk(2) when there's 4 MB to free (default on Linux
seems to be 128).
Patch by Fabian Mauchle.
Conflicts:
configure.ac
Linus Nordberg [Mon, 26 Aug 2013 08:35:12 +0000 (10:35 +0200)]
Create threads with a 32 KB stack rather than what happens to be the default.
On Linux, the default stack size is typically 8 MB.
Patch by Fabian Mauchle.
Linus Nordberg [Fri, 31 May 2013 12:10:49 +0000 (14:10 +0200)]
Honour escaped slashes in regular expressions.
Closes RADSECPROXY-51.
Linus Nordberg [Mon, 6 May 2013 09:12:50 +0000 (11:12 +0200)]
Verify a single hash/hmac in the tests, not two.
Linus Nordberg [Tue, 23 Apr 2013 13:06:35 +0000 (15:06 +0200)]
Add Simon Lundström to AUTHORS.
Linus Nordberg [Tue, 23 Apr 2013 13:04:29 +0000 (15:04 +0200)]
Fix a help string in radsecproxy-hash(1) (-h).
Spotted by Simon Lundström.
Linus Nordberg [Tue, 23 Apr 2013 09:52:16 +0000 (11:52 +0200)]
Make radsecproxy-hash(1) not print the hash four times.
Bug found by Simon Lundström and jocar.
Conflicts:
radsecproxy-hash.c
Linus Nordberg [Tue, 23 Apr 2013 09:48:55 +0000 (11:48 +0200)]
Improve the documentation for the fticks_hashmac() interface.
That interface is a bit surprising. radsecproxy-hash(1) was indeed
bitten by it.
Also, make _format_hash() behave consistently even when out_len < 3.
Conflicts:
fticks_hashmac.c
Linus Nordberg [Thu, 1 Nov 2012 08:02:42 +0000 (09:02 +0100)]
Update ChangeLog entry for 1.6.2 with correct CVE id.
1.6.2 is already released but correct ChangeLog info is good.
Linus Nordberg [Thu, 25 Oct 2012 11:41:24 +0000 (13:41 +0200)]
Mention CVE number in ChangeLog.
Linus Nordberg [Thu, 25 Oct 2012 11:21:57 +0000 (13:21 +0200)]
radsecproxy-1.6.2
Linus Nordberg [Fri, 19 Oct 2012 21:23:04 +0000 (23:23 +0200)]
Don't mix up pre- and post-handshake verification of DTLS clients.
Commit
db965c9b addressed TLS clients only.
When verifying DTLS clients, don't consider config blocks with CA
settings ('tls') which differ from the one used for verifying the
certificate chain.
Original issue reported and analysed by Ralf Paffrath. DTLS being
vulnerable reported by Raphael Geisser.
Addresses issue RADSECPROXY-43, CVE-2012-4523.
Linus Nordberg [Fri, 19 Oct 2012 21:23:04 +0000 (23:23 +0200)]
Update documentation on default secret for TLS and DTLS.
The change was done in radsecproxy-1.6 (2012-04-27) but wasn't
documented properly.
Linus Nordberg [Fri, 19 Oct 2012 21:23:04 +0000 (23:23 +0200)]
Bump version.
Linus Nordberg [Thu, 18 Oct 2012 12:35:13 +0000 (14:35 +0200)]
Update ChangeLog with CVE id for RADSECPROXY-43.
Linus Nordberg [Fri, 14 Sep 2012 11:19:58 +0000 (13:19 +0200)]
Bump version in configure.ac too.
Linus Nordberg [Fri, 14 Sep 2012 11:15:12 +0000 (13:15 +0200)]
radsecproxy-1.6.1
Linus Nordberg [Fri, 14 Sep 2012 11:07:06 +0000 (13:07 +0200)]
Document the effects of RADSECPROXY-43.
https://project.nordu.net/browse/RADSECPROXY-43
Linus Nordberg [Thu, 13 Sep 2012 13:19:22 +0000 (15:19 +0200)]
Don't mix up pre- and post-handshake verification of clients.
When verifying clients, don't consider config blocks with CA
settings ('tls') which differ from the one used for verifying the
certificate chain. Reported by Ralf Paffrath.
Reported and analysed by Ralf Paffrath.
Addresses issue RADSECPROXY-43.
Linus Nordberg [Mon, 13 Aug 2012 08:07:09 +0000 (10:07 +0200)]
Make naptr-eduroam.sh check NAPTR type case insensitively.
Fix by Adam Osuchowski.
Linus Nordberg [Mon, 13 Aug 2012 07:56:28 +0000 (09:56 +0200)]
Fix typo in ChangeLog.
Linus Nordberg [Fri, 18 May 2012 20:44:32 +0000 (22:44 +0200)]
New versions of generated files from the Autotools.
Linus Nordberg [Fri, 18 May 2012 20:44:32 +0000 (22:44 +0200)]
Bump version to 1.6.1-dev.
Faidon Liambotis [Wed, 23 May 2012 06:59:53 +0000 (08:59 +0200)]
manpage fix: use minus signs instead of hyphens
To: radsecproxy@uninett.no
Cc: Faidon Liambotis <paravoid@debian.org>
Date: Wed, 23 May 2012 01:50:26 +0300
groff interprets "-" as hyphens (U+2010) and not as minus signs
(U+002D). Process arguments are clearly being done with minus signs, so
escape them properly and make copy/paste work again.
Faidon Liambotis [Wed, 23 May 2012 06:59:37 +0000 (08:59 +0200)]
Tiny spelling fix on radsecproxy.conf.5.xml
To: radsecproxy@uninett.no
Cc: Faidon Liambotis <paravoid@debian.org>
Date: Wed, 23 May 2012 01:50:27 +0300
s/specifed/specified/
Linus Nordberg [Fri, 27 Apr 2012 12:52:38 +0000 (14:52 +0200)]
radsecproxy-1.6.
Linus Nordberg [Fri, 27 Apr 2012 10:58:15 +0000 (12:58 +0200)]
radsecproxy-1.6-rc2.
Linus Nordberg [Fri, 27 Apr 2012 10:55:59 +0000 (12:55 +0200)]
Release a lock.
Patch from Ralf Paffrath <paffrath@dfn.de>.
Linus Nordberg [Thu, 26 Apr 2012 13:46:35 +0000 (15:46 +0200)]
radsecproxy-1.6-rc1.
Linus Nordberg [Thu, 26 Apr 2012 13:16:22 +0000 (15:16 +0200)]
Add experimental code for dynamic discovery (only if ENABLE_EXPERIMENTAL_DYNDISC).
Patch from Ralf Paffrath <paffrath@dfn.de>.
Linus Nordberg [Thu, 26 Apr 2012 12:02:06 +0000 (14:02 +0200)]
Add configure option --enable-experimental-dyndisc.
Linus Nordberg [Tue, 17 Apr 2012 08:03:36 +0000 (10:03 +0200)]
Ready for radsecproxy-1.6-rc0.
Linus Nordberg [Tue, 17 Apr 2012 07:49:03 +0000 (09:49 +0200)]
Document the IPv4Only and IPv6Only options.
RADSECPROXY-37.
Linus Nordberg [Mon, 16 Apr 2012 10:22:08 +0000 (12:22 +0200)]
Initialize ipv4only and ipv6only.
Linus Nordberg [Fri, 13 Apr 2012 16:19:25 +0000 (18:19 +0200)]
Add top-level config options IPv4Only and IPv6Only.
Related to RADSECPROXY-37.
TODO: Add documentation.
Linus Nordberg [Fri, 13 Apr 2012 11:33:44 +0000 (13:33 +0200)]
Add client and server config options IPv4Only and IPv6Only.
Related to RADSECPROXY-37.
TODO: Add documentation.
Linus Nordberg [Mon, 16 Apr 2012 19:29:03 +0000 (21:29 +0200)]
Use printf(1) instead of 'echo -e' in tools/ scripts.
Closes RADSECPROXY-40.
Linus Nordberg [Mon, 16 Apr 2012 14:37:35 +0000 (16:37 +0200)]
Update documentation to reflect the change of the default place to look for radsecproxy.conf.
Linus Nordberg [Mon, 16 Apr 2012 14:36:53 +0000 (16:36 +0200)]
Add a note about the change of default place to look for radsecproxy.conf.
Linus Nordberg [Mon, 16 Apr 2012 14:22:08 +0000 (16:22 +0200)]
Correct changelog entry for RADSECPROXY-33.
Linus Nordberg [Mon, 16 Apr 2012 14:04:24 +0000 (16:04 +0200)]
Block a dynamic server for 15 minutes if it's not working.
This is the old number. We used 1 minute during testing.
Linus Nordberg [Thu, 12 Apr 2012 18:23:14 +0000 (20:23 +0200)]
Document the DynamicLookupCommand option.
Closes RADSECPROXY-36.
Linus Nordberg [Thu, 12 Apr 2012 18:20:38 +0000 (20:20 +0200)]
Merge branch 'master' into dynconf2
Linus Nordberg [Thu, 12 Apr 2012 18:12:33 +0000 (20:12 +0200)]
Revert "Document the DynamicLookupCommand option."
This goes in branch dynconf2.
This reverts commit
dbcc997716f5bec3316c74371eb8077884d6672d.
Linus Nordberg [Wed, 11 Apr 2012 09:03:11 +0000 (11:03 +0200)]
Add a blurb on dynamic lookup in ChangeLog.
Linus Nordberg [Tue, 10 Apr 2012 14:14:43 +0000 (16:14 +0200)]
Add dynamic config updates to ChangeLog.
Linus Nordberg [Tue, 10 Apr 2012 14:03:44 +0000 (16:03 +0200)]
Assert that the conf has at least one host in addserverextraudp().
Dynamic servers has clearly never been run on UDP servers.
We should probably do something less evil than crashing here.
Closes RADSECPROXY-26.
Linus Nordberg [Tue, 10 Apr 2012 13:55:57 +0000 (15:55 +0200)]
Don't treat exit 10 from dynamic scripts differently from any other non-zero code.
clientwr() should treat the dynamic lookup as a failure and will not
be any happier to know that the exact error was that it didn't resolv.
The script can do whatever logging is wanted.
That said, this commit also makes the scripts exit with 10 in order to
signal failure.
Linus Nordberg [Tue, 3 Apr 2012 14:56:23 +0000 (16:56 +0200)]
Keep track of a failing dynamic server and don't use it while failing.
Also, sleep less than 15 minutes (900s), mainly for testing. This
number will change.
Also, die hard and explicitly if freeing an already freed config in
freeclsrvconf().
This is part of fixing RADSECPROXY-33.
Linus Nordberg [Thu, 12 Apr 2012 15:12:45 +0000 (17:12 +0200)]
Use /bin/sh rather than /bin/bash in scripts.
Using /bin/bash isn't portable.
Linus Nordberg [Thu, 12 Apr 2012 15:10:48 +0000 (17:10 +0200)]
Use built-in echo rather than /bin/echo.
`-e' to /bin/echo isn't portable. The BSD's lacks it for instance.
Linus Nordberg [Thu, 12 Apr 2012 15:09:05 +0000 (17:09 +0200)]
Make dynamic-resolve scripts in tools/ sort numerically.
Spotted by Paul Dekkers. Closes RADSECPROXY-39.
Linus Nordberg [Thu, 12 Apr 2012 14:43:12 +0000 (16:43 +0200)]
Document the DynamicLookupCommand option.
This closes RADSECPROXY-36.
Linus Nordberg [Thu, 12 Apr 2012 13:20:57 +0000 (15:20 +0200)]
Add/update copyright years.
Linus Nordberg [Thu, 12 Apr 2012 13:20:09 +0000 (15:20 +0200)]
Minor ChangeLog changes.
Linus Nordberg [Wed, 11 Apr 2012 17:57:37 +0000 (19:57 +0200)]
Update ChangeLog.
Linus Nordberg [Wed, 11 Apr 2012 17:57:28 +0000 (19:57 +0200)]
Update date in radsecproxy.conf.5.
Linus Nordberg [Wed, 11 Apr 2012 15:08:42 +0000 (17:08 +0200)]
Add config option PidFile.
Note that `-i' on the command line overrides this config option.
This closes RADSECPROXY-32.
Linus Nordberg [Wed, 11 Apr 2012 14:50:08 +0000 (16:50 +0200)]
Honour configure option --sysconfdir.
This closes RADSECPROXY-31.
Linus Nordberg [Wed, 11 Apr 2012 10:24:17 +0000 (12:24 +0200)]
Update date in ChangeLog.
Linus Nordberg [Wed, 11 Apr 2012 10:23:36 +0000 (12:23 +0200)]
Rephrase the FTicksSyslogFacility examples slightly.
Much like what
1c05812c did for radsecproxy.conf-example.
Linus Nordberg [Wed, 11 Apr 2012 09:20:37 +0000 (11:20 +0200)]
Change default shared secret for TLS and DTLS.
We change from "mysecret" to "radsec" as per
draft-ietf-radext-radsec-12.txt section 2.3 (4).
Linus Nordberg [Wed, 11 Apr 2012 09:05:28 +0000 (11:05 +0200)]
Add a todo item to the develdoc file.
Linus Nordberg [Tue, 10 Apr 2012 14:24:30 +0000 (16:24 +0200)]
Copy three missing clsrvconf members when "merging configurations".
Linus Nordberg [Tue, 3 Apr 2012 14:56:23 +0000 (16:56 +0200)]
Don't free memory which others are still using.
In the error case in confserver_cb() where compileserverconfig() we
used to go to errexit and have resonf, passed as an argument through
ARG, freed. Other parts are still using that conf.
Linus Nordberg [Tue, 3 Apr 2012 14:56:23 +0000 (16:56 +0200)]
Fix two error printouts.
Linus Nordberg [Tue, 3 Apr 2012 14:56:23 +0000 (16:56 +0200)]
OpenSSL uses long long. We use -pedantic. Add -Wno-long-long.
Closes RADSECPROXY-34.
Linus Nordberg [Sat, 18 Feb 2012 19:13:46 +0000 (11:13 -0800)]
Stop resolver scripts from signalling "not found".
This triggers a bug in radsecproxy. Don't use it for now.
Linus Nordberg [Sat, 18 Feb 2012 19:12:13 +0000 (11:12 -0800)]
Remove documentation on dynamic lookup since it doesn't work.
Also, add some notes about dynamic lookup esp. wrt. freeing of resources to develdoc.txt.
Linus Nordberg [Mon, 23 Jan 2012 12:06:09 +0000 (13:06 +0100)]
Make radsecproxy-conf exit with !0 if it finds syntax errors in config file.
Note that this is a syntax check only. Passing this test doesn't mean
that the config file is good for running radsecproxy!
Linus Nordberg [Mon, 23 Jan 2012 11:49:52 +0000 (12:49 +0100)]
Protect IPv6 addresses in square brackets to avoid misinterpretation.
Linus Nordberg [Thu, 22 Dec 2011 09:31:47 +0000 (10:31 +0100)]
Add F-Ticks improvements to ChangeLog.
Linus Nordberg [Thu, 22 Dec 2011 09:27:04 +0000 (10:27 +0100)]
Contribute Paweł Gołaszewski.
Linus Nordberg [Thu, 22 Dec 2011 09:09:42 +0000 (10:09 +0100)]
Fix indentation from
2c705843.
Linus Nordberg [Thu, 22 Dec 2011 09:04:24 +0000 (10:04 +0100)]
Merge remote-tracking branch 'maja/master'
Maja Gorecka-Wolniewicz [Wed, 21 Dec 2011 09:10:33 +0000 (10:10 +0100)]
New option for client block - fticksVISINST
Linus Nordberg [Tue, 13 Dec 2011 09:33:32 +0000 (10:33 +0100)]
Update copyright years.
Linus Nordberg [Mon, 12 Dec 2011 14:42:50 +0000 (15:42 +0100)]
Merge branch 'fticks_syslog2'
Linus Nordberg [Mon, 12 Dec 2011 14:19:26 +0000 (15:19 +0100)]
Use correct capitalisation for defaultClient and defaultServer.
Used in 'tls defaultClient' and 'tls defaultServer' configuration blocks.
Reported by Maja Gorecka-Wolniewicz.
Linus Nordberg [Mon, 12 Dec 2011 13:42:36 +0000 (14:42 +0100)]
Fix missing renaming of FTICKS_LOG.
Found by Maja Wolniewicz.
Linus Nordberg [Mon, 12 Dec 2011 13:40:18 +0000 (14:40 +0100)]
Merge branch 'master' into fticks_syslog2
Linus Nordberg [Mon, 12 Dec 2011 13:36:08 +0000 (14:36 +0100)]
Remove offending (and seemingly unused) AM_LDFLAGS from Makefile.am.
Linus Nordberg [Mon, 12 Dec 2011 13:28:53 +0000 (14:28 +0100)]
Autoconf: Don't use deprecated AM_PROG_CC_C_O.