Adding upstream version 3.2.5+dfsg.upstream/3.2.5+dfsgupstream

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

4 files changed, 75 insertions, 3 deletions

diff --git a/raddb/sites-available/aws-nlb b/raddb/sites-available/aws-nlb
index acea81e..06ca632 100644
--- a/raddb/sites-available/aws-nlb
+++ b/raddb/sites-available/aws-nlb
@@ -33,6 +33,15 @@ listen {
 	proto = tcp
 	ipaddr = *
 	port = 8000
+
+	#
+	#  Set limits so that unused connections get cleaned up quickly.
+	#
+	limit {
+	      max_connections = 16
+	      lifetime = 5
+	      idle_timeout = 5
+	}
 }
 
 #
diff --git a/raddb/sites-available/default b/raddb/sites-available/default
index 78b7ae7..b4339bd 100644
--- a/raddb/sites-available/default
+++ b/raddb/sites-available/default
@@ -348,6 +348,20 @@ authorize {
 	digest
 
 	#
+	#  The dpsk module implements dynamic PSK.
+	#
+	#  If the request contains FreeRADIUS-802.1X-Anonce
+	#  and FreeRADIUS-802.1X-EAPoL-Key-Msg, then it will set
+	#  	&control:Auth-Type := dpsk
+	#
+	#  The "rewrite_called_station_id" policy creates the
+	#  Called-Station-MAC attribute, which is needed by
+	#  the dpsk module.
+	#
+#	rewrite_called_station_id
+#	dpsk
+
+	#
 	#  The WiMAX specification says that the Calling-Station-Id
 	#  is 6 octets of the MAC.  This definition conflicts with
 	#  RFC 3580, and all common RADIUS practices.  If you are using
@@ -534,6 +548,8 @@ authenticate {
 		pap
 	}
 
+#	dpsk
+
 	#
 	#  Most people want CHAP authentication
 	#  A back-end database listed in the 'authorize' section
diff --git a/raddb/sites-available/inner-tunnel b/raddb/sites-available/inner-tunnel
index c178baa..1197e08 100644
--- a/raddb/sites-available/inner-tunnel
+++ b/raddb/sites-available/inner-tunnel
@@ -194,7 +194,7 @@ authorize {
 	#  LDAP servers can only do PAP.  They cannot do CHAP, MS-CHAP,
 	#  or EAP.
 	#
-#	if (!&control.Auth-Type && &User-Password) {
+#	if (!&control:Auth-Type && &User-Password) {
 #		update control {
 #		       &Auth-Type := LDAP
 #		}
@@ -409,6 +409,13 @@ post-auth {
 			&Module-Failure-Message := &request:Module-Failure-Message
 		}
 	}
+
+	#
+	#  Access-Challenge packets are sent through the Challenge sub-section
+	#  of the post-auth section.
+	#
+	#Post-Auth-Type Challenge {
+	#}
 }
 
 #
diff --git a/raddb/sites-available/tls b/raddb/sites-available/tls
index 137fcbc..6eab1fe 100644
--- a/raddb/sites-available/tls
+++ b/raddb/sites-available/tls
@@ -56,12 +56,15 @@ listen {
 	#
 	type = auth+acct
 
-	# For now, only TCP transport is allowed.
+	#  For now, only TCP transport is allowed.
 	proto = tcp
 
-	# Send packets to the default virtual server
+	#  Send packets to the default virtual server
 	virtual_server = default
 
+	#
+	#  We have clients specifically for TLS.
+	#
 	clients = radsec
 
 	#
@@ -88,6 +91,22 @@ listen {
 #	proxy_protocol = no
 
 	#
+	#  This configuration item should be enabled for all listen
+	#  sections which do TLS.
+	#
+	#  It is only disabled because we are careful about changing
+	#  existing behavior in a stable release.
+	#
+	#  Setting this configuration item to "yes" means that the
+	#  server will be able to gracefully recover if a TLS
+	#  connection is blocking at the network layer.
+	#
+	#  Note that setting "nonblock = yes" is NOT possible for bare
+	#  TCP connections.  RADIUS/TCP should generally be avoided.
+	#
+#	nonblock = yes
+
+	#
 	#  When this is set to "yes", new TLS connections
 	#  are processed through a section called
 	#
@@ -310,6 +329,11 @@ listen {
 		tls_max_version = "1.3"
 
 		#
+		#  See mods-available/eap for documentation
+		#
+		ecdh_curve = ""
+
+		#
 		#  Session resumption / fast reauthentication
 		#  cache.
 		#
@@ -514,6 +538,22 @@ home_server tls {
 	proto = tcp
 	status_check = none
 
+	#
+	#  This configuration item should be enabled for all
+	#  home_server sections which do TLS.
+	#
+	#  It is only disabled because we are careful about changing
+	#  existing behavior in a stable release.
+	#
+	#  Setting this configuration item to "yes" means that the
+	#  server will be able to gracefully recover if a TLS
+	#  connection is blocking at the network layer.
+	#
+	#  Note that setting "nonblock = yes" is NOT possible for bare
+	#  TCP connections.  RADIUS/TCP should generally be avoided.
+	#
+#	nonblock = yes
+
 	tls {
 		#
 		#  Similarly to HTTP, the client can use Server Name