summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* create new cert_store before reloading CAs and CRLsradsecproxy-50Fabian Mauchle2017-03-242-0/+2
|
* make sure rq->to is set to NULL when cleaning up server output queueFabian Mauchle2017-03-102-2/+2
|
* Use a listen(2) backlog of 128.Linus Nordberg2017-01-182-2/+2
| | | | | | | | | | | | | | | | | | | | There's a chance that incoming (legitimate) connections arrive faster than what it takes to spawn a new thread and get back to listen(). Therefore we should ask the stack to queue at least one entry, i.e. use a backlog value of at least 1. There's arguable also a chance of more than two concurrent incoming connections, which would make a case for a backlog value greater than one. A reasonable high value seems to be 128, which also is what SOMAXCONN is on many unix systems. In the choice between 1 and 128, an argument against the higher value is that it may mask the potential problem of spending a long time serving incoming connections. Being reasonably confident that radsecproxy is efficient when it comes to serving incoming connections, by handing them off to a newly spawned thread, I think that 128 is a fine choice. Closes RADSECPROXY-72.
* Revert partial fix for RADSECPROXY-69 (98d7bbe).Linus Nordberg2016-11-012-4/+5
| | | | This was potentially making things worse.
* Look at servers->dynamiclookuparg for deciding if a server is dynamic.Linus Nordberg2016-11-012-3/+3
| | | | | | | | | | The dynamiclookupcommand member of the _config_ of the server is being set to NULL when it's copied in confserver_cb(), resulting in dynamic discovery being done for realms that already have a server. Patch from Fabian Mauchle. Addresses RADSECPROXY-69.
* Copyright year fixes.Linus Nordberg2016-11-017-6/+13
|
* Add PGP key info.Linus Nordberg2016-11-011-2/+5
|
* Update README with version, new web site and minor wording.Linus Nordberg2016-11-011-15/+12
|
* Remove --enable-experimental-dyndisc build config knob.Linus Nordberg2016-11-014-58/+5
| | | | | Be aware that use of the DynamicLookupCommand configuration option still enables code known to be buggy.
* Bump version to 1.7.1-alpha-dev.Linus Nordberg2016-11-012-3/+3
| | | | | Next release will be 1.7.1-alpha. When the 1.7 series becomes stable, the `-alpha' prefix is dropped.
* Make addr2string(), returning a literal string, const.Linus Nordberg2016-10-192-2/+2
|
* Exit if stringcopy() fails at allocating memory.Linus Nordberg2016-10-181-1/+1
| | | | | | Writing to 0 seems unwise to me. Returning NULL will simply move the problem to the callers. I admit that a better fix would be to fix all the callers.
* Don't follow the NULL pointer, not even in debug printouts.Linus Nordberg2016-10-172-1/+5
| | | | | | Bug reported by Leonhard Knauff. Closes RADSECPROXY-68.
* Don't use a smaller pthread stack size than what's allowed.Linus Nordberg2016-10-171-0/+9
| | | | Patch by Kolbjørn Barmen.
* Hopefully make clang less unhappy about '#if defined'.Linus Nordberg2016-10-172-1/+2
| | | | Reported by Luke Benes.
* Update ChangeLog.Linus Nordberg2016-10-171-4/+14
|
* Update contact email address.Linus Nordberg2016-10-171-1/+1
|
* Assert that the server argument is non-NULL.Linus Nordberg2016-10-061-0/+1
|
* Don't follow the NULL pointer.Linus Nordberg2016-10-061-1/+2
| | | | | In practice, sendrq() is called from two functions, radsrv() and clientwr(), none of which should be able to pass rq->to == NULL.
* Update ChangeLog.Linus Nordberg2016-09-211-0/+8
|
* Require libnettle unconditionally.Linus Nordberg2016-09-216-57/+5
|
* Use libnettle instead of libcrypto (from openssl) for MD5 and HMAC(MD5).Linus Nordberg2016-09-213-137/+75
| | | | | | | | | The HMAC_ and EVP_MD_ API:s changed in OpenSSL 1.1 in a way that made it unfeasable to support both older and newer OpenSSL. Radsecproxy already depends on libnettle for Fticks. Moving away from libcrypto makes it easier to add support for other TLS libraries than OpenSSL.
* EVP_MD_CTX and HMAC_CTX are now pointers.Linus Nordberg2016-09-212-106/+106
| | | | | | | NOTE: pwdcrypt(), msmppencrypt(), msmppdecrypt(), _checkmsgauth(), _validauth() _createmessageauth() and _radsign() all become slightly more expensive since we're now allocating and freeing an EVP_MD_CTX or HMAC_CTX on each invocation.
* Remove openssl thread lock handling.Linus Nordberg2016-09-211-25/+0
| | | | | openssl-1.1 uses a new threading API which makes manual locking wrt openssl not necessary.
* ASN1_STRING_data() -> ASN1_STRING_get0_data().Linus Nordberg2016-09-211-3/+3
| | | | | ASN1_STRING_data was deprecated in openssl-1.1, see https://www.openssl.org/docs/manmaster/crypto/ASN1_STRING_data.html
* Don't call ERR_remove_thread_state().Linus Nordberg2016-09-213-7/+0
| | | | | Not needed as of openssl-1.1, see https://www.openssl.org/docs/man1.1.0/crypto/ERR_remove_thread_state.html
* Use ERR_remove_thread_state() instead of ERR_remove_state().Linus Nordberg2016-09-213-7/+7
|
* Stop accessing ssl->rbio directly.Linus Nordberg2016-09-211-5/+5
|
* Stomp less on other threads memory.Linus Nordberg2016-09-212-4/+16
| | | | See RADSECPROXY-64.
* Don't wait for _writable_ when _reading_ a TCP socket.Linus Nordberg2016-09-191-3/+2
| | | | | | Like 92a0c39a for TCP. Patch by Fabian Mauchle.
* Let env DOCBOOK2X_MAN optionally name the docbook2x-man program.Linus Nordberg2016-09-191-3/+6
| | | | Patch from Fabian Mauchle with a minor change.
* Make docbook2x-man happy on RedHat.Linus Nordberg2016-09-161-3/+1
| | | | Patch from Fabian Mauchle.
* Don't build radsecproxy.conf.5 unless HAVE_DOCBOOK2X_MAN.Linus Nordberg2016-09-161-1/+1
| | | | Patch from Fabian Mauchle.
* Fix spelling.Linus Nordberg2016-03-231-4/+4
| | | | Pointed out by Faidon Liambotis.
* Add changes from 1.6.7.Linus Nordberg2016-03-141-1/+9
|
* Add info about license change to ChangeLog.Linus Nordberg2016-03-111-1/+7
|
* Fix the html target.Linus Nordberg2016-03-091-5/+6
| | | | | List the three .html files. Add targets for building .html from .1 and .5.
* #include <string.h> for memcpy() and strcmp().Linus Nordberg2016-03-092-0/+2
|
* Use DTLS_method() for new SSL context if it exists.Linus Nordberg2016-03-061-0/+5
| | | | | Effectively turning on support for DTLS 1.2 when OpenSSL version 1.0.2 or higher.
* Use TLS_method() for new SSL context if it exists.Linus Nordberg2016-03-061-1/+7
|
* Allow TLSv1.1 and TLSv1.2.Linus Nordberg2016-02-251-1/+2
| | | | | This should in theory allow for later versions of TLS too but let's verify that when the time comes.
* Mention radsecproxy-hash(1) in radsecproxy.1.Linus Nordberg2015-09-171-3/+2
|
* Merge branch 'docu'Linus Nordberg2015-01-222-2/+15
|\
| * Revamp the documentation of a request+response being proxied.Linus Nordberg2015-01-221-9/+7
| |
| * Add comments on functions.Linus Nordberg2015-01-161-0/+3
| |
| * Add more overview to develdoc and correct a factual error.Linus Nordberg2015-01-161-2/+14
| |
* | Install radsecproxy.conf.5 unconditionally.Linus Nordberg2015-01-192-1/+3
| | | | | | | | Keep regeneration of it dependent on configure finding docbook2x-man(1).
* | Refer to RFC6614 instead of the old draft.Linus Nordberg2015-01-191-2/+2
| |
* | ChangeLog for the four security patches.Linus Nordberg2015-01-161-0/+4
| |
* | Fix heap overflow in raddtlsget(), radtcpget() and radtlsget().Linus Nordberg2015-01-163-0/+12
| | | | | | | | Patch by Stephen Röttger.
generated by cgit v1.1 at 2024-10-06 02:30:37 +0000