]>
git.ipfire.org Git - thirdparty/freeradius-server.git/log
Alan T. DeKok [Thu, 31 Aug 2023 13:42:47 +0000 (09:42 -0400)]
remove restrictions on attribute numbers
there are just too many attributes now which can go anywhere,
so these checks are significantly less useful
Alan T. DeKok [Thu, 31 Aug 2023 13:28:38 +0000 (09:28 -0400)]
it helps to remove unused things
Alan T. DeKok [Thu, 31 Aug 2023 13:21:22 +0000 (09:21 -0400)]
this is no longer virtual
it's only used for internal tests
Alan T. DeKok [Thu, 31 Aug 2023 13:17:49 +0000 (09:17 -0400)]
replace Packet-Authentication-Vector
It's still used for radius_tp_decode_proto, but the attribute
is no longer a virtual one
Alan T. DeKok [Wed, 30 Aug 2023 15:30:43 +0000 (11:30 -0400)]
s/vector/challenge/
it's only stupid RADIUS which puts the challenge into the packet
header / authentication vector
Alan T. DeKok [Wed, 30 Aug 2023 15:10:27 +0000 (11:10 -0400)]
move CHAP encode to src/lib/util
because it's no longer a RADIUS protocol function
Alan T. DeKok [Wed, 30 Aug 2023 15:09:49 +0000 (11:09 -0400)]
don't depend on CHAP length. Use MD5 length.
It's all 16 octets, but this removes an unnecessary dependency
on CHAP
Nick Porter [Wed, 30 Aug 2023 10:55:12 +0000 (11:55 +0100)]
Add CHAP tests to TACACS
Nick Porter [Wed, 30 Aug 2023 10:07:56 +0000 (11:07 +0100)]
Add CHAP options to command line of tacacs_client
Nick Porter [Wed, 30 Aug 2023 09:45:59 +0000 (10:45 +0100)]
No need for tacacs_pap policy now rlm_chap uses call_env
Nick Porter [Tue, 29 Aug 2023 16:28:43 +0000 (17:28 +0100)]
Use a call_env with rlm_chap
Nick Porter [Tue, 29 Aug 2023 16:30:24 +0000 (17:30 +0100)]
Update TACACS test to call rlm_pap
Nick Porter [Mon, 28 Aug 2023 17:10:57 +0000 (18:10 +0100)]
No need for tacacs_pap policy now rlm_pap uses call_env
Nick Porter [Mon, 28 Aug 2023 17:04:13 +0000 (18:04 +0100)]
Use a call environment for rlm_pap
Nick Porter [Wed, 30 Aug 2023 09:26:30 +0000 (10:26 +0100)]
Use min_challenge_len when checking length of CHAP-Challenge
Nick Porter [Wed, 30 Aug 2023 09:14:01 +0000 (10:14 +0100)]
Convert %(chap_password:) to a module xlat so we can pass in the instance data
Nick Porter [Wed, 30 Aug 2023 09:12:23 +0000 (10:12 +0100)]
Add min_challenge_len to CHAP module config
Un-documented as it should only be changed to handle insane client
devices.
Nick Porter [Wed, 30 Aug 2023 08:22:14 +0000 (09:22 +0100)]
Add vector_len to fr_radius_encode_chap_password
To allow for variable length challenges
Alan T. DeKok [Wed, 30 Aug 2023 00:50:11 +0000 (20:50 -0400)]
%{} vs %() is a dice roll
Alan T. DeKok [Tue, 29 Aug 2023 23:35:32 +0000 (19:35 -0400)]
remove last vestiges of Virtual-Server
Jorge Pereira [Tue, 29 Aug 2023 23:14:10 +0000 (20:14 -0300)]
Dictionaries prefix are not longer used (#5165)
Let's normalize all dictionaries to not use Vendor name as a prefix.
Alan T. DeKok [Tue, 29 Aug 2023 22:16:29 +0000 (18:16 -0400)]
remove unused Packet-Type
Alan T. DeKok [Tue, 29 Aug 2023 22:14:48 +0000 (18:14 -0400)]
removed unused attribute and functions
Alan T. DeKok [Tue, 29 Aug 2023 22:05:11 +0000 (18:05 -0400)]
Remove old virtual attributes
Module-Return-Code
Virtual-Server
Request-Processing-Stage
update examples, document them, etc.
Alan T. DeKok [Tue, 29 Aug 2023 21:47:14 +0000 (17:47 -0400)]
add %{interpreter:...} for virtual attributes
Module-Return-Code
Virtual-Server
Request-Processing-Stage
the processing stage _should_ be things like "recv Access-Request".
Due to various re-architecture issues, it's now hard-coded by the
src/process functions to be the name of the protocol.
We probably want to fix that
Alan T. DeKok [Tue, 29 Aug 2023 21:37:47 +0000 (17:37 -0400)]
typos
Alan T. DeKok [Tue, 29 Aug 2023 21:32:26 +0000 (17:32 -0400)]
remove extraneous "break"
Jorge Pereira [Tue, 29 Aug 2023 18:03:07 +0000 (15:03 -0300)]
Fixup Doxygen comments
Alan T. DeKok [Tue, 29 Aug 2023 15:41:53 +0000 (11:41 -0400)]
remove migration use_new_conditions
Jorge Pereira [Tue, 29 Aug 2023 15:06:56 +0000 (12:06 -0300)]
Dictionaries prefix are not longer used (#5163)
Nick Porter [Fri, 25 Aug 2023 11:34:06 +0000 (12:34 +0100)]
Use call env to evaluate password for LDAP bind
Makes module protocol agnostic for LDAP binds
Nick Porter [Mon, 28 Aug 2023 16:12:34 +0000 (17:12 +0100)]
SASL user binds do not need to look up the user DN
This means that if user binds use SASL, and the LDAP module has not
already been called to retrieve the user object, there is no need to
perform the initial lookup of the DN.
So, in the case that LDAP's sole purpose is to perform authentication
this reduces the number of LDAP calls made.
Nick Porter [Fri, 25 Aug 2023 10:52:23 +0000 (11:52 +0100)]
&User-Name is not actually used in LDAP bind auth
What actually happens is the user DN is looked up using the base and
filter, then the bind is performed as that DN.
Therefore, User-Name is not strictly needed - something else could be
identifying the user.
Nick Porter [Fri, 25 Aug 2023 17:15:50 +0000 (18:15 +0100)]
Set bind_pool start = 0 to reduce noise in LDAP test logs
Nick Porter [Tue, 29 Aug 2023 10:02:45 +0000 (11:02 +0100)]
Use ldap_url_desc2str for building referral host uris
To be consistent with other construction of host URIs
Nick Porter [Tue, 29 Aug 2023 09:30:46 +0000 (10:30 +0100)]
Assess LDAP map to set expect_password if a password is being retrieved
Original setting of this got lost in move of ldap map code in 2017...
Nick Porter [Fri, 25 Aug 2023 14:13:27 +0000 (15:13 +0100)]
SASL bind doesn't use the DN
Nick Porter [Fri, 25 Aug 2023 16:52:12 +0000 (17:52 +0100)]
Add notes on LDAP group membership xlat to upgrade doc
Nick Porter [Fri, 25 Aug 2023 13:52:34 +0000 (14:52 +0100)]
Ensure we print the log entry with either error or fmt populated
Nick Porter [Fri, 25 Aug 2023 13:51:25 +0000 (14:51 +0100)]
Better error message
Alan T. DeKok [Tue, 29 Aug 2023 00:53:17 +0000 (20:53 -0400)]
and again "shut the heck up"
Alan T. DeKok [Tue, 29 Aug 2023 00:38:13 +0000 (20:38 -0400)]
more "shut up static analysis"
Alan T. DeKok [Mon, 28 Aug 2023 21:53:51 +0000 (17:53 -0400)]
update doc notes
Alan T. DeKok [Mon, 28 Aug 2023 21:50:47 +0000 (17:50 -0400)]
who killed the dinosaurs?
We did!
The only paircmp() API is finally gone. Good riddance to bad rubbish.
Alan T. DeKok [Mon, 28 Aug 2023 21:49:58 +0000 (17:49 -0400)]
re-enable regex tests for files module
and fix code to match
Alan T. DeKok [Mon, 28 Aug 2023 21:49:34 +0000 (17:49 -0400)]
typo
Alan T. DeKok [Mon, 28 Aug 2023 21:46:04 +0000 (17:46 -0400)]
shut up static analyzer
Alan T. DeKok [Mon, 28 Aug 2023 21:18:48 +0000 (17:18 -0400)]
shut up static analyzer
Alan T. DeKok [Mon, 28 Aug 2023 21:10:14 +0000 (17:10 -0400)]
allow and handled regexes
Alan T. DeKok [Mon, 28 Aug 2023 21:05:36 +0000 (17:05 -0400)]
Revert "Attempt to keep fr_nbo_to_foo() from tainting the pointer (#5156)"
This reverts commit
6bcdb8a7200cab4d185a9e73a823944983c15a8f .
this made no difference to Coverity
Alan T. DeKok [Mon, 28 Aug 2023 21:02:19 +0000 (17:02 -0400)]
Revert "Skip fr_assert() for static analysis (CID #
1414423 )"
This reverts commit
28aae6fc257004cb24473934657436466d59dd22 .
Alan T. DeKok [Mon, 28 Aug 2023 21:01:52 +0000 (17:01 -0400)]
remove note that regexes aren't supported.
Alan T. DeKok [Mon, 28 Aug 2023 20:59:05 +0000 (16:59 -0400)]
add fr_regex_cmp_op()
as a mirror to fr_value_box_cmp_op(), and which is called from
that function.
If the LHS isn't a string / octets, the LHS is printed to an
intermediate buffer, and that is used for the regex.
James Jones [Mon, 28 Aug 2023 15:44:37 +0000 (10:44 -0500)]
Skip fr_assert() for static analysis (CID #
1414423 )
For static analysis, fr_assert() is plain assert...but otherwise,
for non-debugging versions, it just logs. That means that to
coverity, the mutex won't be unlocked, while in production it
will always be unlocked.
Alexis La Goutte [Mon, 28 Aug 2023 14:32:25 +0000 (14:32 +0000)]
Aruba(dictionary): Update dicto from ClearPass 6.11.4
Alan T. DeKok [Mon, 28 Aug 2023 17:51:11 +0000 (13:51 -0400)]
make the files module work (mostly)
Regular expressions are not supported.
Arguably the module actually supported inter-attribute comparisons,
we just never tried that?
Alan T. DeKok [Mon, 28 Aug 2023 14:20:26 +0000 (10:20 -0400)]
remove old condition code
Alan T. DeKok [Mon, 28 Aug 2023 13:16:01 +0000 (09:16 -0400)]
remove last potential call to cond_tokenize
We can then remove all of the old condition code
Alan T. DeKok [Mon, 28 Aug 2023 12:44:09 +0000 (08:44 -0400)]
update unit tests to only use new conditions
which resulted in a number of changes
* the xlats need to be instantiated (and they're not), so we can't
print regexes. As a reuslt, regex parsing tests are omitted
* escape tests are omitted, as the old code automatically purifies
them, and the new ones don't do that
* the only code purifies a lot of things automatically. The new
code doesn't, so many tests changed
* the old code reordered conditions to put the attribute on the LHS
the new code doesn't.
* the old code printed many casts, which are suppressed in the
new code
* the old code printed rcodes and existence checks as-is. The new
code printes them as functions. If we care to fix this, we can
add a "print" callback which just prints them in the correct
format. However, because the xlats aren't instantiated, the
print routine won't really work the way we expect.
* the output files have a bunch of "@todo" sprinkled through them
these are things which could likely be fixed without too much
work, but which aren't critical, and don't affect behavior
Alan T. DeKok [Mon, 28 Aug 2023 12:43:52 +0000 (08:43 -0400)]
there's no longer any cond_t in the "if" block
Alan T. DeKok [Mon, 28 Aug 2023 00:51:25 +0000 (20:51 -0400)]
inst->xlat may not exist in some circumstances
Alan T. DeKok [Sun, 27 Aug 2023 21:46:51 +0000 (17:46 -0400)]
remove use_new_conditions flag, and start hard-coding it
the command-line parameter is still accepted for compatibility,
but it is ignored.
Alan T. DeKok [Sun, 27 Aug 2023 20:05:18 +0000 (16:05 -0400)]
don't force use_new_conditions = false
Alan T. DeKok [Sun, 27 Aug 2023 19:48:38 +0000 (15:48 -0400)]
dict_def can be NULL for unit tests
Alan T. DeKok [Sun, 27 Aug 2023 19:32:55 +0000 (15:32 -0400)]
set dict for functions we alloc
Alan T. DeKok [Sun, 27 Aug 2023 19:32:33 +0000 (15:32 -0400)]
copy dict when copying functions
Alan T. DeKok [Sun, 27 Aug 2023 19:31:06 +0000 (15:31 -0400)]
make error message clearer.
We also have an issue where 'cp' may be NULL, and it still calls
cf_log_err(cp, ...). But that will be another fix
Alan T. DeKok [Sun, 27 Aug 2023 19:27:09 +0000 (15:27 -0400)]
can't be passing NULL parameters, including dict_def
Alan T. DeKok [Sun, 27 Aug 2023 18:57:19 +0000 (14:57 -0400)]
we don't need !!!!!!!!
Alan T. DeKok [Sun, 27 Aug 2023 18:37:12 +0000 (14:37 -0400)]
let's set the configuration flag
Alan T. DeKok [Sun, 27 Aug 2023 14:57:22 +0000 (10:57 -0400)]
always use new conditions
Let's set a simple flag to see if anything breaks. That way if
something bad does happen, we only have to revert one line of code.
If everything works. we can then start on the longer process of
removing all of the old condition code.
Alan T. DeKok [Sun, 27 Aug 2023 13:57:13 +0000 (09:57 -0400)]
force new conditions
Alan T. DeKok [Sun, 27 Aug 2023 13:32:44 +0000 (09:32 -0400)]
it helps to check the correct return code
Alan T. DeKok [Sun, 27 Aug 2023 13:17:50 +0000 (09:17 -0400)]
Revert "just call value_box_cmp_op()"
This reverts commit
922064282139d6d30b60e108ee68cf81d55bf156 .
seems to result in talloc failures? It's not clear why, but in
the interest of moving forward in other places, we'll just revert
this
Alan T. DeKok [Sun, 27 Aug 2023 12:45:42 +0000 (08:45 -0400)]
typos
Alan T. DeKok [Sun, 27 Aug 2023 12:43:35 +0000 (08:43 -0400)]
paircmp works with new conditions
Alan T. DeKok [Sun, 27 Aug 2023 12:42:08 +0000 (08:42 -0400)]
merge paircmp tests
Alan T. DeKok [Sun, 27 Aug 2023 12:34:11 +0000 (08:34 -0400)]
move paircmp() to rlm_sql
and drastically simplify it. The behavior is similar enough for
most cases, except:
* regular expression operators are no longer supported. It's not
hard to re-add them. As they're not needed right now, they can
be temporarily removed
* virtual attributes like Packet-Src-IP-Address are not supported
Again, this isn't terribly difficult to re-add. But once the
Packet-* attributes are moved to Net.* attributes, then any
virtual attribute comparisons become much less useful.
The remainder are Virtual-Server, Request-Processing-Stage,
and Module-Return-Code. Those could arguably all be moved to
realized attributes in the control list. And be made immutable,
so that "unlang" can't change them.
Alan T. DeKok [Sun, 27 Aug 2023 12:04:05 +0000 (08:04 -0400)]
just call value_box_cmp_op()
Alan T. DeKok [Sat, 26 Aug 2023 20:20:09 +0000 (16:20 -0400)]
added RFC 9445 dictionary
Alan T. DeKok [Sat, 26 Aug 2023 20:02:04 +0000 (16:02 -0400)]
remove Client-Shortname and replace with %{client:shortname}
Alan T. DeKok [Sat, 26 Aug 2023 19:53:26 +0000 (15:53 -0400)]
Packet-Type is no longer virtual
Alan T. DeKok [Sat, 26 Aug 2023 19:48:20 +0000 (15:48 -0400)]
Packet-Type is a real attribute here, too
Alan T. DeKok [Sat, 26 Aug 2023 19:44:43 +0000 (15:44 -0400)]
we now always use one function: generic_cmp()
Alan T. DeKok [Sat, 26 Aug 2023 19:41:24 +0000 (15:41 -0400)]
Packet-Type is now always a real attribute
which means that we don't need a virtual attribute callback for it.
Alan T. DeKok [Sat, 26 Aug 2023 19:22:38 +0000 (15:22 -0400)]
remove xlat wrapper for paircmp
Alan T. DeKok [Sat, 26 Aug 2023 19:20:26 +0000 (15:20 -0400)]
minro cleanups
Alan T. DeKok [Sat, 26 Aug 2023 19:17:31 +0000 (15:17 -0400)]
remove "firstonly"
Alan T. DeKok [Sat, 26 Aug 2023 19:14:56 +0000 (15:14 -0400)]
remove "from" parameter
Alan T. DeKok [Sat, 26 Aug 2023 19:08:45 +0000 (15:08 -0400)]
remove instance from paircmp()
Alan T. DeKok [Sat, 26 Aug 2023 19:02:04 +0000 (15:02 -0400)]
we no longer need paircmp_unregister_instance()
no modules have registered paircmp() functions
Alan T. DeKok [Sat, 26 Aug 2023 18:43:43 +0000 (14:43 -0400)]
clarifications
James Jones [Fri, 25 Aug 2023 15:43:24 +0000 (10:43 -0500)]
Attempt to keep fr_nbo_to_foo() from tainting the pointer (#5156)
Related CIDs: #
12433443 , #
1448182 , #
1520415 , #
1503937 , #
1503914
Coverity claims the fr_nbo_to_foo() functions taint the pointer
passed to it. Thereafter, any data accessed via that pointer is
considered tainted, and any copy of the pointer has the same
issue.
Something like this (copying the passed pointer to a local--with
any optimization, register coalescence will mean this has zero
overhead, BTW--is the only thing that comes to mind to work around
the issue.
Alan T. DeKok [Fri, 25 Aug 2023 14:59:18 +0000 (10:59 -0400)]
remove test paircmp, and this paircmp_register_by_name
Alan T. DeKok [Fri, 25 Aug 2023 14:51:09 +0000 (10:51 -0400)]
remove Client-IP-Address, and replace with Packet-Src-IP-Address
this is made more problematic by the fact that DHCPv4 defines its
own Client-IP-Address, which is something different.
And there are also FreeRADIUS-Client-IP-Address for dynamic clients,
and FreeRADIUS-Stats-Client-IP-Address for statistics. Both of
those should be replaced with better names, and nested TLVs
Alan T. DeKok [Fri, 25 Aug 2023 14:50:46 +0000 (10:50 -0400)]
regenerate from updated source
Alan T. DeKok [Fri, 25 Aug 2023 14:50:24 +0000 (10:50 -0400)]
typo
Alan T. DeKok [Fri, 25 Aug 2023 13:44:28 +0000 (09:44 -0400)]
move winbind to %{winbind.group:...}
Alan T. DeKok [Fri, 25 Aug 2023 11:59:15 +0000 (07:59 -0400)]
try to shut up scanner
Alan T. DeKok [Fri, 25 Aug 2023 11:55:39 +0000 (07:55 -0400)]
typos and word smithing