summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* Don't follow the NULL pointer, not even in debug printouts.Linus Nordberg2017-08-023-1/+6
| | | | | | Bug reported by Leonhard Knauff. Closes RADSECPROXY-68.
* Use a listen(2) backlog of 128.Linus Nordberg2017-08-023-2/+5
| | | | | | | | | | | | | | | | | | | | There's a chance that incoming (legitimate) connections arrive faster than what it takes to spawn a new thread and get back to listen(). Therefore we should ask the stack to queue at least one entry, i.e. use a backlog value of at least 1. There's arguable also a chance of more than two concurrent incoming connections, which would make a case for a backlog value greater than one. A reasonable high value seems to be 128, which also is what SOMAXCONN is on many unix systems. In the choice between 1 and 128, an argument against the higher value is that it may mask the potential problem of spending a long time serving incoming connections. Being reasonably confident that radsecproxy is efficient when it comes to serving incoming connections, by handing them off to a newly spawned thread, I think that 128 is a fine choice. Closes RADSECPROXY-72.
* Update ChangeLog with -77.Linus Nordberg2017-08-021-0/+1
|
* Merge branch 'RADSECPROXY-77' into maint-1.6Linus Nordberg2017-08-022-3/+12
|\
| * Add mutex guarding realm refcount.RADSECPROXY-77Linus Nordberg2017-07-282-3/+12
| |
* | Update ChangeLog.Linus Nordberg2017-08-011-0/+1
| |
* | Move allocation of memory, making error case simpler.Linus Nordberg2017-08-011-7/+6
| |
* | Make warning about failing IPV6_V6ONLY info level.Linus Nordberg2017-08-011-1/+1
| | | | | | | | | | | | We might have a bug where bindtoaddr() tries to set V6ONLY on IPv4 sockets. Until that's been resolved, don't alarm users on debug level 'warning'.
* | Verify return code from fcntl calls.Linus Nordberg2017-08-011-2/+10
| | | | | | | | | | | | | | Have connectnonblocking() warn and fail if setting O_NONBLOCK fails. Have it warn if restoring of flags fail. coverity: 1449515
* | Cleanup varargs in error case too.Linus Nordberg2017-08-011-0/+1
| | | | | | | | coverity: 1449517
* | Don't use 'out' if malloc fails.Linus Nordberg2017-08-011-8/+8
| | | | | | | | coverity: 1449518
* | Don't risk calling _validauth() with sec == NULL.Linus Nordberg2017-08-011-1/+1
| | | | | | | | | | | | | | buf2radmsg() is never called with rqauth != NULL and secret == NULL but let's protect against future callers. coverity: 1449519
* | Check return value from setsockopt().Linus Nordberg2017-08-012-4/+8
| | | | | | | | coverity: 1449508, 1449522.
* | Dont deref 'to' if it's NULL.Linus Nordberg2017-08-011-1/+2
| | | | | | | | coverity: 1450948
* | Don't use r if malloc fails.Linus Nordberg2017-08-011-2/+4
| | | | | | | | coverity: 1450949
* | Free 'in' in success case too.Linus Nordberg2017-08-011-0/+1
| | | | | | | | coverity: 1449514
* | Revert ed6f9b47.Linus Nordberg2017-08-011-2/+1
| | | | | | | | | | | | | | Going to errexit doesn't free resconf as that commit claims. It does free conf though, which is good. coverity: 1449524
* | Don't pthread_join unless we actually created a thread.Linus Nordberg2017-08-011-1/+2
| | | | | | | | coverity: 1449504
* | maketlv() makes a copy of v, so free it.Linus Nordberg2017-08-011-3/+2
| | | | | | | | coverity: 1449503
* | add msg-id to debug log outputFabian Mauchle2017-08-012-3/+3
| |
* | create new cert_store before reloading CAs and CRLsFabian Mauchle2017-08-012-0/+5
|/ | | | | Conflicts: ChangeLog
* Revert partial fix for RADSECPROXY-69 (47ccc9f).Linus Nordberg2016-11-012-10/+1
| | | | This was potentially making things worse.
* Look at servers->dynamiclookuparg for deciding if a server is dynamic.Linus Nordberg2016-11-012-1/+10
| | | | | | | | | | The dynamiclookupcommand member of the _config_ of the server is being set to NULL when it's copied in confserver_cb(), resulting in dynamic discovery being done for realms that already have a server. Patch from Fabian Mauchle. Addresses RADSECPROXY-69.
* Bump version to 1.6.9-dev.Linus Nordberg2016-11-013-3/+3
|
* radsecproxy-1.6.8.radsecproxy-1.6.8Linus Nordberg2016-09-214-4/+9
|
* Stomp less on other threads memory.Linus Nordberg2016-09-212-4/+16
| | | | See RADSECPROXY-64.
* Don't wait for _writable_ when _reading_ a TCP socket.Linus Nordberg2016-09-191-3/+2
| | | | | | Like 92a0c39a for TCP. Patch by Fabian Mauchle.
* Fix spelling.Linus Nordberg2016-03-231-4/+4
| | | | Pointed out by Faidon Liambotis.
* radsecproxy-1.6.7radsecproxy-1.6.7Linus Nordberg2016-03-144-5/+5
|
* Update ChangeLog for upcoming radsecproxy-1.6.7.Linus Nordberg2016-03-111-0/+8
|
* Fix the html target.Linus Nordberg2016-03-111-5/+6
| | | | | List the three .html files. Add targets for building .html from .1 and .5.
* #include <string.h> for memcpy() and strcmp().Linus Nordberg2016-03-112-0/+2
|
* Use DTLS_method() for new SSL context if it exists.Linus Nordberg2016-03-111-0/+5
| | | | | Effectively turning on support for DTLS 1.2 when OpenSSL version 1.0.2 or higher.
* Allow TLSv1.1 and TLSv1.2.Linus Nordberg2016-02-251-1/+2
| | | | | This should in theory allow for later versions of TLS too but let's verify that when the time comes.
* Mention radsecproxy-hash(1) in radsecproxy.1.Linus Nordberg2016-02-251-3/+2
|
* Install radsecproxy.conf.5 unconditionally.radsecproxy-1.6.6Linus Nordberg2015-01-192-1/+3
| | | | Keep regeneration of it dependent on configure finding docbook2x-man(1).
* radsecproxy-1.6.6Linus Nordberg2015-01-194-5/+5
|
* Refer to RFC6614 instead of the old draft.Linus Nordberg2015-01-191-2/+2
|
* ChangeLog for the four security patches.Linus Nordberg2015-01-161-0/+4
| | | | | Conflicts: ChangeLog
* Fix heap overflow in raddtlsget(), radtcpget() and radtlsget().Linus Nordberg2015-01-163-0/+12
| | | | Patch by Stephen Röttger.
* Fix null pointer dereference in decttl().Linus Nordberg2015-01-161-0/+3
| | | | Patch by Stephen Röttger.
* Fix use-after-free in _internal_removeserversubrealms().Linus Nordberg2015-01-161-2/+5
| | | | Patch by Stephen Röttger.
* Fix use-after-free in hash_extract().Linus Nordberg2015-01-162-1/+4
| | | | Patch by Stephen Röttger.
* Remove 'compile', generated by Automake.Linus Nordberg2015-01-163-143/+2
| | | | Patch by Christian Hesse.
* Update copyright notice.Linus Nordberg2015-01-161-1/+1
| | | | | Conflicts: radsecproxy.c
* When CHAP-Password, copy Request Authenticator to CHAP-Challenge.Linus Nordberg2015-01-163-0/+26
| | | | | Conflicts: radmsg.h
* radsecproxy-1.6.5 --> 1.6.6-devLinus Nordberg2015-01-143-3/+3
|
* Have rewriteIn for servers use the correct config section.Linus Nordberg2015-01-142-2/+10
| | | | | Conflicts: ChangeLog
* radsecproxy-1.6.5.radsecproxy-1.6.5Linus Nordberg2013-09-064-4/+4
|
* Have radmsg_copy_attrs() return error in all error cases.Linus Nordberg2013-09-061-4/+2
| | | | Also when copying of the first attribute fails.