Commit message (Collapse) | Author | Age | Files | Lines | |
---|---|---|---|---|---|
* | Stop trying to set IPV6_V6ONLY on non-ipv6 sockets.HEADmaster | Linus Nordberg | 2017-11-20 | 4 | -11/+11 |
| | | | | See RADSECPROXY-79 for rationale. | ||||
* | Don't use double backslashes in regexps. | Linus Nordberg | 2017-10-06 | 1 | -5/+5 |
| | |||||
* | Update email addresses. | Linus Nordberg | 2017-08-02 | 1 | -2/+2 |
| | | | | | Linus' address has changed. Let's not give spammers Stig's address any more. | ||||
* | Add ChangeLog entry for RADSECPROXY-72. | Linus Nordberg | 2017-08-02 | 1 | -0/+1 |
| | |||||
* | Update ChangeLog. | Linus Nordberg | 2017-08-01 | 1 | -0/+1 |
| | |||||
* | Move allocation of memory to not have to free in error case. | Linus Nordberg | 2017-08-01 | 1 | -7/+6 |
| | |||||
* | Verify return code from fcntl calls. | Linus Nordberg | 2017-08-01 | 1 | -2/+10 |
| | | | | | | | Have connectnonblocking() warn and fail if setting O_NONBLOCK fails. Have it warn if restoring of flags fail. coverity: 1449515 | ||||
* | Cleanup varargs in error case too. | Linus Nordberg | 2017-08-01 | 1 | -0/+1 |
| | | | | coverity: 1449517 | ||||
* | Don't use 'out' if malloc fails. | Linus Nordberg | 2017-08-01 | 1 | -8/+8 |
| | | | | coverity: 1449518 | ||||
* | Don't risk calling _validauth() with sec == NULL. | Linus Nordberg | 2017-08-01 | 1 | -1/+1 |
| | | | | | | | buf2radmsg() is never called with rqauth != NULL and secret == NULL but let's protect against future callers. coverity: 1449519 | ||||
* | Check return value from setsockopt(). | Linus Nordberg | 2017-08-01 | 2 | -4/+8 |
| | | | | coverity: 1449508, 1449522. | ||||
* | Free 'in' in success case too. | Linus Nordberg | 2017-08-01 | 1 | -0/+1 |
| | | | | coverity: 1449514 | ||||
* | Revert ed6f9b47. | Linus Nordberg | 2017-08-01 | 1 | -2/+1 |
| | | | | | | | Going to errexit doesn't free resconf as that commit claims. It does free conf though, which is good. coverity: 1449524 | ||||
* | Don't pthread_join unless we actually created a thread. | Linus Nordberg | 2017-08-01 | 1 | -1/+2 |
| | | | | coverity: 1449504 | ||||
* | maketlv() makes a copy of v, so free it. | Linus Nordberg | 2017-08-01 | 1 | -3/+2 |
| | | | | coverity: 1449503 | ||||
* | Add mutex guarding realm refcount. | Linus Nordberg | 2017-08-01 | 3 | -3/+13 |
| | | | | NOTE: Only guarding writes. | ||||
* | Add ChangeLog entry for RADSECPROXY-60. | Linus Nordberg | 2017-08-01 | 1 | -0/+1 |
| | |||||
* | Merge branch 'mauchle-radsecproxy-60' | Linus Nordberg | 2017-08-01 | 1 | -3/+2 |
|\ | |||||
| * | add msg-id to debug log outputmauchle-radsecproxy-60 | Fabian Mauchle | 2017-08-01 | 1 | -3/+2 |
| | | |||||
* | | create new cert_store before reloading CAs and CRLs | Fabian Mauchle | 2017-08-01 | 2 | -0/+2 |
| | | |||||
* | | Don't try to set IPV6_V6ONLY on IPv4 sockets. | Linus Nordberg | 2017-07-30 | 2 | -2/+2 |
|/ | | | | | | This is a long standing, non fatal, bug which was revealed when we started looking at return values from all calls to setsockopt() in the coverity branch. | ||||
* | make sure rq->to is set to NULL when cleaning up server output queue | Fabian Mauchle | 2017-03-10 | 2 | -2/+2 |
| | |||||
* | Use a listen(2) backlog of 128. | Linus Nordberg | 2017-01-18 | 2 | -2/+2 |
| | | | | | | | | | | | | | | | | | | | | There's a chance that incoming (legitimate) connections arrive faster than what it takes to spawn a new thread and get back to listen(). Therefore we should ask the stack to queue at least one entry, i.e. use a backlog value of at least 1. There's arguable also a chance of more than two concurrent incoming connections, which would make a case for a backlog value greater than one. A reasonable high value seems to be 128, which also is what SOMAXCONN is on many unix systems. In the choice between 1 and 128, an argument against the higher value is that it may mask the potential problem of spending a long time serving incoming connections. Being reasonably confident that radsecproxy is efficient when it comes to serving incoming connections, by handing them off to a newly spawned thread, I think that 128 is a fine choice. Closes RADSECPROXY-72. | ||||
* | Revert partial fix for RADSECPROXY-69 (98d7bbe). | Linus Nordberg | 2016-11-01 | 2 | -4/+5 |
| | | | | This was potentially making things worse. | ||||
* | Look at servers->dynamiclookuparg for deciding if a server is dynamic. | Linus Nordberg | 2016-11-01 | 2 | -3/+3 |
| | | | | | | | | | | The dynamiclookupcommand member of the _config_ of the server is being set to NULL when it's copied in confserver_cb(), resulting in dynamic discovery being done for realms that already have a server. Patch from Fabian Mauchle. Addresses RADSECPROXY-69. | ||||
* | Copyright year fixes. | Linus Nordberg | 2016-11-01 | 7 | -6/+13 |
| | |||||
* | Add PGP key info. | Linus Nordberg | 2016-11-01 | 1 | -2/+5 |
| | |||||
* | Update README with version, new web site and minor wording. | Linus Nordberg | 2016-11-01 | 1 | -15/+12 |
| | |||||
* | Remove --enable-experimental-dyndisc build config knob. | Linus Nordberg | 2016-11-01 | 4 | -58/+5 |
| | | | | | Be aware that use of the DynamicLookupCommand configuration option still enables code known to be buggy. | ||||
* | Bump version to 1.7.1-alpha-dev. | Linus Nordberg | 2016-11-01 | 2 | -3/+3 |
| | | | | | Next release will be 1.7.1-alpha. When the 1.7 series becomes stable, the `-alpha' prefix is dropped. | ||||
* | Make addr2string(), returning a literal string, const. | Linus Nordberg | 2016-10-19 | 2 | -2/+2 |
| | |||||
* | Exit if stringcopy() fails at allocating memory. | Linus Nordberg | 2016-10-18 | 1 | -1/+1 |
| | | | | | | Writing to 0 seems unwise to me. Returning NULL will simply move the problem to the callers. I admit that a better fix would be to fix all the callers. | ||||
* | Don't follow the NULL pointer, not even in debug printouts. | Linus Nordberg | 2016-10-17 | 2 | -1/+5 |
| | | | | | | Bug reported by Leonhard Knauff. Closes RADSECPROXY-68. | ||||
* | Don't use a smaller pthread stack size than what's allowed. | Linus Nordberg | 2016-10-17 | 1 | -0/+9 |
| | | | | Patch by Kolbjørn Barmen. | ||||
* | Hopefully make clang less unhappy about '#if defined'. | Linus Nordberg | 2016-10-17 | 2 | -1/+2 |
| | | | | Reported by Luke Benes. | ||||
* | Update ChangeLog. | Linus Nordberg | 2016-10-17 | 1 | -4/+14 |
| | |||||
* | Update contact email address. | Linus Nordberg | 2016-10-17 | 1 | -1/+1 |
| | |||||
* | Assert that the server argument is non-NULL. | Linus Nordberg | 2016-10-06 | 1 | -0/+1 |
| | |||||
* | Don't follow the NULL pointer. | Linus Nordberg | 2016-10-06 | 1 | -1/+2 |
| | | | | | In practice, sendrq() is called from two functions, radsrv() and clientwr(), none of which should be able to pass rq->to == NULL. | ||||
* | Update ChangeLog. | Linus Nordberg | 2016-09-21 | 1 | -0/+8 |
| | |||||
* | Require libnettle unconditionally.openssl11-rebased | Linus Nordberg | 2016-09-21 | 6 | -57/+5 |
| | |||||
* | Use libnettle instead of libcrypto (from openssl) for MD5 and HMAC(MD5). | Linus Nordberg | 2016-09-21 | 3 | -137/+75 |
| | | | | | | | | | The HMAC_ and EVP_MD_ API:s changed in OpenSSL 1.1 in a way that made it unfeasable to support both older and newer OpenSSL. Radsecproxy already depends on libnettle for Fticks. Moving away from libcrypto makes it easier to add support for other TLS libraries than OpenSSL. | ||||
* | EVP_MD_CTX and HMAC_CTX are now pointers. | Linus Nordberg | 2016-09-21 | 2 | -106/+106 |
| | | | | | | | NOTE: pwdcrypt(), msmppencrypt(), msmppdecrypt(), _checkmsgauth(), _validauth() _createmessageauth() and _radsign() all become slightly more expensive since we're now allocating and freeing an EVP_MD_CTX or HMAC_CTX on each invocation. | ||||
* | Remove openssl thread lock handling. | Linus Nordberg | 2016-09-21 | 1 | -25/+0 |
| | | | | | openssl-1.1 uses a new threading API which makes manual locking wrt openssl not necessary. | ||||
* | ASN1_STRING_data() -> ASN1_STRING_get0_data(). | Linus Nordberg | 2016-09-21 | 1 | -3/+3 |
| | | | | | ASN1_STRING_data was deprecated in openssl-1.1, see https://www.openssl.org/docs/manmaster/crypto/ASN1_STRING_data.html | ||||
* | Don't call ERR_remove_thread_state(). | Linus Nordberg | 2016-09-21 | 3 | -7/+0 |
| | | | | | Not needed as of openssl-1.1, see https://www.openssl.org/docs/man1.1.0/crypto/ERR_remove_thread_state.html | ||||
* | Use ERR_remove_thread_state() instead of ERR_remove_state(). | Linus Nordberg | 2016-09-21 | 3 | -7/+7 |
| | |||||
* | Stop accessing ssl->rbio directly. | Linus Nordberg | 2016-09-21 | 1 | -5/+5 |
| | |||||
* | Stomp less on other threads memory.stompless-rebased-squashed | Linus Nordberg | 2016-09-21 | 2 | -4/+16 |
| | | | | See RADSECPROXY-64. | ||||
* | Don't wait for _writable_ when _reading_ a TCP socket. | Linus Nordberg | 2016-09-19 | 1 | -3/+2 |
| | | | | | | Like 92a0c39a for TCP. Patch by Fabian Mauchle. |