FreeRADIUS 3.0.19 Wed 10 Apr 2019 09:00:00 EDT urgency=high Feature improvements * Update dictionary.cisco * Update sqlippool to allow for stored procedures with PostgreSQL. This increases performance substantially. Patch from Nathan Ward. Fixes #2540. * Re-added "show client config" command to radmin. * Cleaned up mods-available/sql example so that it is easier to understand. * Added pfSense dictionary. Closes #2581 * Update dictionary.h3c Closes #2592 * Update elasticsearch/logstash config for v6.7.0. * EAP-PWD security fixes from Mathy Vanhoef. See http://freeradius.org/security/ Bug fixes * Update dynamic_client module and server core so that the functionality works. This has been broken since at least v2. * Fix crash in sqlippool due to escaping changes. Patch from Nathan Ward. Fixes #2532, #2533. * Fix systemd notify, watchdog and unit files. Fixes #2541, #2499. * Fix erroneous length check in EAP-FAST. * Update documentation to remove old "ignore_null" configuration. Fixes #2578. * Fix default POD port. Should be 3799. Fixes #2591 * Correctly encode vendor-specific "encrypted" attributes. Fixes #2600 FreeRADIUS 3.0.18 Mon 25 Feb 2019 15:00:00 EST urgency=low Feature improvements * cleanup_delay can now be 30 seconds. This helps with proxies that have packet loss. * Do-Not-Respond policies can now be set in the "post-auth" section. * Encode / Decode ADSL Forum DHCP options. * Fix module ordering issues. e.g. when "sqlippool" needs "sql". See the "instantiate" section of radiusd.conf. * Add Big Switch dictionary. Fixes #2252. * Add sql_session_start policy (raddb/policy.d/accounting) This minimizes race conditions when using Simultaneous-Use Patch from Philippe Wooding (#2257). * For rlm_perl, all variables are now tainted by default. See raddb/mods-available/perl, and the "perl_flags" configuration item. This change should only affect people who are using variables in insecure ways. * Allow "sqlcounter" module to be listed in "post-auth". * Add support for IPv6 attributes in SQL. Fixes #2280. Patches from Michael Ducharme. * The server is better at handling fail-over for outbound RadSec and TCP connections. Fixes #2284. * The server is now more aggressive about retrying failed outbound RadSec and TCP connections. Fixes #2284. * Add TLS-Session-Version and TLS-Session-Cipher-Suite to the "session_state" list. * Add expansion for Radsec connections. "%{listen:TLS-...}" for TLS-Client-Cert-* and TLS-Cert-* attributes. * Add notes on running "ldapsearch" using the parameters from the LDAP module. * "ipaddr" attributes can now be cast to "integer" type attributes in an "update" section. * Move main thread queue to using atomic queues. This should help with contention in high load scenarios. * Add "recv_buff" setting to listeners. For more details, see sites-available/default * The sqlippool module can now use attributes other than "Pool-Name" to assign IP pools. The "Pool-Name" attribute is still the default. * The "unpack" expansion can now unpack substrings. See mods-available/unpack for documentation and examples. * The preprocess module now does "ciscvo_vsa_hack" for Eltex-AVPair. Fixes #2301. Vendors SHOULD NOT USE THAT KIND OF ATTRIBUTE. * Allow for <instance>-LDAP-UserDN. See mods-available/ldap for more information. * Add sanitizing of control list for moonshot. Fixes #2318 * Update rlm_sql_mysql to be compatible with MySQL 8. Fixes https://bugs.launchpad.net/bugs/1795310. * Allow logging of only Access-Accept or Access-Reject messages. See radiusd.conf, "auth_accept" and "auth_reject". * Removed Connect-Rate comparison. It was unused and broken. * Add dictionary.infinera. * RPMs can now change raddb location with rpmbuild parameter --define '_sysconfdir /etc' * OpenDirectory module now points to Apple documentation for help with build and configuration. * Use OpenSSL HMAC functions instead of local ones. * Some SQL modules can now use "auto_escape" to escape unsafe strings. See mods-config/sql/main/mysql/queries.conf * Add wispr2date conversion in mods-available/date * Implement dictionary-based handling in rlm_python. Fixes #2334. See mods-available/python for details. * Add support for SKIP LOCKED in sqlippool. This can improve performance by an order of magnitude or more. See raddb/mods-config/sql/ippool/*/queries.conf Fixes #2383. Patch from Nathan Ward. * Updated Debian packages to allow for libssl1.1. Fixes #2384. Patch from Alejandro Perez. * Allow PSK and certificates at the same time. Except for TLS 1.3 which does not support that. * Update Debian packages for newer releases. Fixes #2391. Patch from Matthew Newton. * Update docker scripts. Fixes #2306. Patch from Matthew Newton. * Add crypt xlat. * MySQL connections can now skip verifying the server certificate. Fixes #2481. See mods-available/sql * Add better mechanism to detect MariaDB (Old MySQL). * Add RFC 7532 "bang path" support for realms. Fixes #2492. * Update dictionary.ukerna documentation. Fixes #2493 * Add support for systemd service and watchdogs. Fixes #2499. * Check for openss/rand.h, and allow building without OpenSSL engine. Patch from Eneas U de Queiroz. Fixes #2517. * The default PosgtreSQL queries now use "ON CONFLICT" to better deal with issues. This requires PostgreSQL 9.5 or later. Please use a recent version of PostgreSQL, or edit the default queries to remove "ON CONFLICT". Bug fixes * The session-state list is no longer cleaned in the inner-tunnel. This lets the outer Access-Reject section access session-state. * Fix typo in lock initialization for TLS sockets Found by Sergio NNX. * Add check for crash when home server down. Fixes #2233. * Add username key for postauth table. * Better libpcap checks, when the header files or libraries are missing. Fixes #2245. * Allow building with old versions of OpenSSL. Fixes #2247. * Allow non-FreeRADIUS State attributes to be used with the "session-state" list. i.e. State length != 16. * Be more aggressive about cleaning up zombie children when running in debug mode. * Use LTDL_DEEPBIND, which fixes issues with Oracle libraries exporting LDAP API functions. * unlock files when asked to unlock them. * return error instead of asserting in map code. * Don't write 0 bytes to SSL. Fixes #2270. * Remove "expiry_time IS NULL" from allocate_update query. Fixes #2262. * Various dictionary cleanups and consistency checks. Fixes #2281. Patches from Peter Lemenkov. * rlm_python has stronger thread locking to prevent reported issues. Performance may be affected. * Don't allow Message-Authenticator to overflow past the end of a large packet. * Fix crash in sqlippool when SQL server goes away. Fixes #2300. * Typos in man pages. Patch from Nikolai Kondrashov. Fixes #2303. * Check for correct OpenSSL version in vulnerability list. Patch from Christian Hesse. * Fix crash with CoA packets/ Fixes #2304. * Fix crash in rlm_exec with CoA. Fixes #2328. * Print errors while parsing the log config, and don't quit when deprecated log settings are found. * Fix DHCP encoder xlat so that it can be used with a list of attributes. It previously only encoded the first member of the list, and now encodes all members. * The "expr" module now skips more whitespace. * Remove internal FreeRADIUS-Response-Delay attributes from attr_filter Access-Reject. * Don't send junk to redis when maximum args reached. * Small updates to IPv6 for accounting schema. Fixes #2364. * Fix OpenDirectory integration in rlm_mschap * Fix slow memory leak with dynamic clients * Don't artificially truncate debug output for long strings. * Fix memory leak in EAP-PWD. * Fix crash in "hints" file with Fall-Through = yes * Fix crash / timer issues with many CoA packets. * Fix attr_filter so that it does not treat vendor attributes of number 26 as Vendor-Specific. * Fix reconnect correctly in rlm_sql_mysql. * Fix rlm_cache to properly use Cache-TTL < 0. Fixes #2485. * Fix rare occurance of bad xlat expansion. * Check for rare race condition when a proxy reply arrives too late. FreeRADIUS 3.0.17 Tue 17 Apr 2018 14:00:00 EDT urgency=low Feature improvements * Add CURLOPT_CAINFO. Patch from Nicolas C. #2167 * "stats home server" now supports "src IPADDR", to specify home server also by source IP. Fixes #2169. * Add Dockerfiles for a selection of common systems. * Increase number of permitted file descriptors, for systems with many home servers. * Add TLS-Client-Cert-X509v3-Extended-Key-Usage-OIDs. Patch from Isaac Boukris. Fixes #2205. * Update main READMEs. Patches from Matthew Newton. * Added dictionary.mimosa * TLS-based EAP methods now create TLS-Session-Version and TLS-Session-Cipher-Suite attributes. Bug fixes * Don't call post-proxy twice when proxying to a virtual server. Matthew Newton, #2161. * Use "raw" string value for shared secrets and dynamic clients. It now parses strings with backslashes and "special characters" correctly. Fixes #2168. * Fix RuntimeDirectory for RedHat, from Alan Buxey. * Relax checks in 'if' parser from Isaac Bourkis * Minor cleanups for %{debug_attr:&request} from Isaac Boukris. * Be more aggressive about cleaning up cached certificate attributes, due to deficiencies in OpenSSL. Reported by Nicolas Reich. * Be more accepting when parsing IPv6 addresses. Bug noted by Klara Mall. * Fix double free in rlm_sql. Fixes #2180. * rlm_detail now writes empty Access-Accept packets. * rlm_python can now create tagged attributes. * Don't crash on duplicate realm + authhost / accthost. Bug found by Richard Palmer. * Allow partial certificate chain to trusted CA. Fixes #2162 * Treat SSL_read() returning zero as error. Fixes #2164. * detail writer now checks if the file was renamed or deleted. * Add User-Name to Access-Accept if EAP-Message exists, not Stripped-User-Name. * RedHat Systemd updates. Fixes #2184 * Use correct API for State variable in rlm_securid. * Remove broken radclient option "-i". * Fix "users" file (and hints, etc). So that it does not get confused about entry ordering with multiple $INCLUDEs. * Fix rlm_sql to expand the un-escaped string, not the raw string. * Link default and inner-tunnel only if they exist. Fixes #2206. * Don't use both IP_PKTINFO and IP_SENDSRCADDR. * Always install signal handler for SIGINT (needed by Docker). * Fix intermediate CA flow for OCSP. Fixes #2160. Intermediate certs which are not self-signed will now be checked. * sqlippool now returns "fail" if it fails IP allocation. * Fix rlm_yubikey to look for correct attribute in replay attack check. FreeRADIUS 3.0.16 Thu 11 Jan 2018 12:00:00 EST urgency=low Feature improvements * rlm_python now supports multiple lists. From #2031. * Add trust router re-keying. From #2007. * Add support for Samba / AD LDAP schema. See doc/schemas/ldap/samba/README.txt and doc/schemas/ldap/samba/ * Add "tls_min_version" and "tls_max_version" to EAP module for Debian OpenSSL issues. * Better documentation for client certificates in PEAP and TTLS: it usually doesn't work. Fixes #2068. * Distinguish login failure from AD unavailable. Fixes #2069. * Update RH spec files. Fixes #2070. * Run Post-Proxy-Type if all home servers are dead. Fixes #2072. * Print offending IP addresses when EAP sessions come from two upstream home servers, and rate-limit the messages. * Minor packaging updates. * Better documentation for rlm_rest. * EAP-FAST now has it's own "cipher_list", so that it is easier to configure. * EAP-FAST now forcibly disables TLS1.2, until such time as we implement the new keying mechanism from TLS1.2. * Add documentation for allow_expired_crl. * Update Debian logrotation. #2093 and #2101. * DHCP relay can now drop responses. #2095. * rlm_sqlippool can now assign Delegated-IPv6-Prefix. It also now can assign any IPv4 or IPv6 address. Based on patches from maximumG. #2094. See raddb/mods-available/sqlippool for changes. * radeapclient can now use EAP-SIM-Ki to dynamically create the necessary triplets. * Explain why many LDAP connections are closed. Fixes #1969. * Debian build / package issues fixed by Matthew Newton. * dictionary.patton updates from Brice Schaffner. Fixes #2137. * Added scripts to build "inner-server.pem", and updated mods-config/inner-eap and certs/README to match. * Added provisions for using an external CA. See raddb/certs/ * Include dhcpclient binary in freeradius-dhcp debian packge. Bug fixes * Bind the lifetime of program name and python path to the module FR-AD-002 (redone) * Pass correct statement length into sqlite3_prepare[_v2] FR-AD-003 (redone) * Allow 100-Continue responses with additional headers in rlm_rest. * fix corner case where detail files were not being locked correctly. * Fix (SQL-Group == "%{...}") checks, and same for LDAP-Group. Fixes #1947 * Clean up exfile code. Which should help to avoid issues with reading / writing 100's of detail files. * Fix build for winbind. Patch from Alex Clouter. * Fix checkrad for Mikrotik. Patch from Muchael Ducharme. * Fix home server stats lookup. Patch from Phil Mayers. * Add libjson-c3 as an optional dependency. * Require LTB OpenLDAP on CentOS / Redhat, to avoid linking against NSS, which breaks the server. Fixes #2040. * rlm_python fixes. Fixes #2041 * Typos in "man" pages. Fixes #2045 * Expand "next" in %{%{...}:-%{...}}. Fixes #2048 * Don't add TLS attributes twice. Fixes #2050. * Fix memory allocation in rlm_rest. Fixes #2051. * Update trustrouter for new API. Fixes #2059. * Fix SQLite issues on FreeBSD. Fixes #2060 * Don't do debug logging of bad passwords. Fixes #2064. * More graceful handling of "die" in rlm_perl. Fixes #2073. * Fix occasional crash when using cisco_accounting_username_bug = yes * EAP-FAST fixes from Isaac Boukris. #2078, #2076, and #2082, #2126. * DHCP fixes, relay, #2092, add run-time check, #2028 * Decode multiple RADIUS packets at a time in highly loaded RadSec connections. Patch from Jan Tomasek. #2106. * TunnelPassword is not "single value" in LDAP schema. Fixes #2061. * sql log now opens the expanded filename, not the input one. This was a regression introduced in 3.0.15. * Remove unnecessary UNIQUE constrain in Oracle schemas. * Fix SSL thread and locking issues when modules also use SSL. Fixes #2125 and #2129. * Re-add dhcpclient "raw packet" changes. Patches from Nicolas Chaigne and Matthew Newton. Fixes #2155. FreeRADIUS 3.0.15 Mon 17 Jul 2017 09:00:00 EDT urgency=high Feature improvements * Provide HOSTNAME in default systemd files. * Incorporate RedHat specific files * Update dictionary.starent, dictionary.ruckus * Allow builds without TCP or DHCP Bug fixes * Fix multiple issues. See this web page for details: http://freeradius.org/security/fuzzer-2017.html * Pass correct statement length into sqlite3_prepare[_v2] * Bind the lifetime of program name and python path to the module * Check input / output length in make_secret(). FR-GV-201 * Fix read overflow when decoding DHCP option 63 FR-GV-206 * Fix write overflow in data2vp_wimax() FR-GV-301 * Fix infinite loop and memory exhaustion with 'concat' attributes FR-GV-302 * Fix infinite read in dhcp_attr2vp() FR-GV-303 * Fix buffer over-read in fr_dhcp_decode_suboptions() FR-GV-304 * Decode 'signed' attributes correctly. FR-GV-305 * use strncmp() instead of memcmp() for bounded data FR-AD-001 * Bind the lifetime of program name and python path to the module FR-AD-002 * Pass correct statement length into sqlite3_prepare[_v2] FR-AD-003 * print messages when we see deprecated configuration items * show reasons why we couldn't parse a certificate expiry time * be more accepting about truncated ASN1 times. * Fix OpenSSL API issue which could leak small amounts of memory. Issue reported by Guido Vranken. * For Access-Reject, call rad_authlog() after running the post-auth section, just like for Access-Accept. * don't crash when reading corrupted data from session resumption cache. Fixes #1999. * Parse port in dhcpclient. Fixes #2000. * Don't leak memory for OpenSSL. Patch from Guido Vranken. * Portability fixes taken from OpenBSD port collection. * run rad_authlog after post-auth for Access-Reject. * Don't process VMPS packets twice. * Fix attribute truncation in rlm_perl * Fix bug when processing huntgroups. FreeRADIUS 3.0.14 Fri 26 May 2017 13:00:00 EDT urgency=medium Feature improvements * Enforce TLS client certificate expiration on session resumption, and Session-Timeout. See CVE-2017-9148. * Updated dictionary.cisco.vpn3000, dictionary.patton * Added dictionary.dellemc * Lowered the log output for failed PEAP sessions. * ALlow utc in rlm_date. Patch from Peter Lambrechtsen. * The internal OpenSSL session cache has been disabled. Please see mods-available/eap * Update detail reader documentation. Patch from Matthew Newton. Fixes #1973. * Make outgoing RadSec connections non-blocking. * Add SQL backing to Moonshot-*-TargetedId generation. Patch from Stefan Paetow. Bug fixes * radtest uses Cleartext-Password for EAP, not User-Password. * Update documentation for mods-enabled/ linking. * Enhanced checks for moonshot salt. Fixes #1933. * Allow session resumption for RadSec connections. Fixes #1936. * Update "huntgroups" file to note that port ranges are not supported. * Fix OpenSSL permissions issues on default key files. Fixes #1941. * Certificates are not required when PSK is used. * Allow SubjectAltName as first extension in cert. Fixes #1946. * Fixed talloc issue with TLS session resumption. Fixes #1980. * "&Attr-26 := 0x01" now produces useful error messages. * Handle connection error in rlm_ldap_cacheable_groupobj. Fixes #1951. * Fix endian issues in DHCP. * Multiple minor fixes for Coverity complaints. * Handle unexpected regex. Fixes #1959. * Fix minor issues in dictionaries. * Fix typos and grammar. Patches from Alan Buxey. * Fix erroneous VP creation in rlm_preproces. * Fix MIB. Patch from Jeff Gehlbach. * Trust router updates from Alejandro Perez. * Allow build with LibreSSL. Fixes #1989 * Use correct packet for channel bindings. Fixes #1990. * Many fixes found by PVS-Studio. Thanks to PVS-Studio for giving us a test license. Please see the git commit history for more information. * Fix incorrect length check in EAP-PWD. This may be exploitable. FreeRADIUS 3.0.13 Mon 06 Mar 2017 13:00:00 EDT urgency=medium Feature improvements * Add dictionary.rfc7930. Note that we do not implement the RFC. * Added 'cipher_server_preference' to mods-available/eap Patch from #1797. * OpenSSL 1.1.0 compatibility fixes. * rlm_perl: radiusd::xlat to evaluate xlat string within perl script * Allow authentication retry in winbind. Patch from Herwin Weststrate. See raddb/mods-available/mschap. * Added "recv-coa" method to rlm_rest. It behaves the same as "authorize". * Document Trust Router tr_port option. Patch from Stefan Paetow. * Update elasticsearch/logstash examples so that they work with elastic stack v5. Patch from Matthew Newton. * Print information about packets, replies, and contents in the detail file reader. * Update abfab-tr policy. Pull request #1893 from Stefan Paetow. * Reject packets which contain User-Password and EAP-Message. * Add example for filtering Access-Challenge. See sites-enabled/default. * Pull symlink fixes from v4.0.x. Fixes #1859. * Add systemd reload. Not everything is reloaded, but some is. Fixes #1662. * Better documentation for listen "ipaddr". Fixes #1921 * Add dictionary.cnergee, updated dictionary.nomadix. * radclient no longer needs -x to print statistics with -s. Bug fixes * Minor typos. Fixes #1763 * Fix typo in RPM build. Closes #1767. * rlm_mschap check for password expiry only if password was correct. Fixes #1762. * Update debian build. * update rlm_counter "man" page. Fixes #1775. * Remove erroneous assert. Fixes #1778. * fix mschap password change test. Fixes #1792. * Cleanup config file on data remove. Fixes #1795. * passwd module returns "notfound" if not found. * Check for old OpenSSL, and don't build rlm_eap_fast if it necessary. Fixes #1803 * Cleanup memory better after ldap version query. Patch from Aleksey Katargin. * Rename lt_* functions to avoid linker issues with libtool. Fixes #1277 * Many miscellaneous fixes and typos. * Allow long strings in %{%{foo} bar:-%{baz} blah". Fixes #1866 * Fix filtering operators, along with more documentation and more tests for them. * Fix OpenSSL fixes. Fixes #1876. * Finish SQL select queries even when SELECT returns no rows. Fixes #1879. * Set Module-Failure-Message for more EAP errors. * Correct typo in dictionary.rfc5580. Fixes #1882 * Remove obselete systemd syslog.target. * Client-Port-Balance load-balancing now uses client port. * Radrelay examples fixed from Alex Clouter. * Update systemd target. Pull request #1896. * Trim starting whitespace in xlat strings. * Get MySQL result lengths using normal API. * suid down after fchown(). Fixes #1914. * Fix cases of comparing pointer to NUL character. Fixes #1915. * OpenSSL v1.1 fixes. Pull request #1921. * Better Handle v4/v6 host names. Pull request #1919. * Remove "Auth-Type = System" from docs and examples. * Don't crash on malformed %{home_server}. Fixes #1922 * fix erroneous use of talloc destructor in rlm_eap * Issue trigger modules.sql.fail. Fixes #1923 * Document python_path gotcha's. Fixes #1845 * dlopen() the specific version of Python. Fixes #1592 FreeRADIUS 3.0.12 Thur 29 Sep 2016 13:00:00 EDT urgency=medium Feature improvements * Add support for =~ and !~ in update sections. See "man unlang" * Add dictionary.checkpoint. * Simultaneous-Use prints out more information. * Print WARNING in debug mode when packets may be truncated. * Added expansions %{home_server:state} and %{home_server_pool:state}, which show the state of the server / pool. * Mark rlm_sql_freetds as stable. * Make rlm_perl less fragile. Patch from Herwin Weststrate. * Allow extended attributes to have "encrypt=2" * Update dictionary.aruba. * Add support for EAP-FAST. This is an isolated feature which does not affect anything else. * Update OpenSSL vulnerability list. Use a version of OpenSSL released after September 20, 2016. * EAP certificate verification is now done when "verify" is enabled and "ocsp" is disabled. * New dhcpclient and rlm_rad_counter man pages. * Minor abfab and moonshot additions. * Pass CFLAGS through from environment in RPM builds. Allows more custom builds. * Build with Heimdal in addition to libkrb5. Bug fixes * Use correct typedef for older versions of sqlite. * Update mssql schema to add priority * Don't complain on /dev/urandom in ldap * Fix == operator in update sections * Don't create DHCP strings with many trailing zeros. Patch from Nicolas C. Fixes #1526. * Allow MS-CHAP change passwords instead of complaining on large buffer. * Allow assignment or equality operator on SQL. * Update aclocal tests for FreeBSD 10. Patches from Mathieu Simon. * Remove occasional hang in rlm_linelog. * Copy VSAs to inner tunnel for TTLS and PEAP. Fixes #1544 * A few minor bugfixes caught in v3.1.x cleanup, and back-ported to v3.0.x. * do_not_respond again works in post-proxy * Allow realm "~^.*$" {} and User-Name with no realm. * Fix leak when creating unknown attributes * Fix Debian / logrotate. * Make OpenSSL error functions thread-safe. * Fix crash with rlm_sql and updating SQL-User-Name. * Debian build updates. * Allow regular expression comparisons in radclient fixes #1574. * Fix memory leak on unknown attributes in detail file reader. * Update example paths in "man" pages when installing them * Build fixes for rlm_mschap. Fixes #1489. * BSD build fixes. Patch from issue #1583. * Be more careful about /lib/ when building. Fixes #1585. * Correct ifdef placement error. Fixes #1572. * Allow for more files in internal "exfile" API So it will be possible to open more than 64 "detail" files at the same time. * Remove support for statically built EAP modules. Fixes #1591. * Many fixes to rlm_python from Guillaume Pannatier. * Use correct week adjustment in SQLcounter. Fixes #1608 * Minor fixes to allow compilation without DHCP, VMPS, or TCP. * Fix checks for module / config file change on HUP. * Compile regex comparisons when sent via "debug condition". Fixes #1632. * Update filenames in documentation and examples. Patch from Alan Buxey, #1655. * Don't crash if SQL connection becomes unavailable. Fixes #1640. * Disallow originate_coa when proxy_requests = no Fixes #1684. * Free rad_perlconf_hv in correct perl context. Fixes #1675. * Multiple fixes for Debian builds. #1510, among others. * Set OpenSSL FIPS compatibility flag when necessary. * Pulled fixes for the build system over from other branches. * Fix OCSP for RADIUS over TLS. * Fix skip_if_ocsp_ok behavior. * Better fixes for systems without closefrom() but which have /proc. Fixes #1757. * Minor build fixes back-ported from v4.0.x. * build --whout-ascend-binary. Fixes #1761. * Be more aggressive about not opening new connections in debug mode after CTRL-C. Address #1604. FreeRADIUS 3.0.11 Mon 25 Jan 2016 14:00:00 EST urgency=medium Feature improvements * "unlang" comparisons of IP addresses to IP prefixes are now detected, and types automatically cast. * Allow shorthand form of ipv4prefix values e.g. 127/8. * Add "auto_chain" to raddb/mods-available/eap, tls subsection. This allows the disabling of OpenSSL auto-chaining of certificates. Which might be wrong. * Added printing of coa and disconnect stats (radmin). * radclient defaults to expecting Access-Accept responses to Status-Server. * Updated dictionary.lancom, dictionary.starent. * Portability fixes for Solaris. * More errors from ntlm_auth gets passed to MS-CHAP. * Update abfab-tr-idp virtual server. * Added "filter_password" in policy.d/filter. This removes embedded zero bytes in User-Password, for compatibility with broken clients. * The server now issues a WARNING message if duplicate configuration items are found. * TLS can skip the "verify" section if OCSP returns OK. See raddb/mods-available/eap, "skip_if_ocsp_ok". * Set TLS-OCSP-Cert-Valid = yes / no / skipped, which is the result from the OCSP check. * Interoperate with AD and "LmCompatibiltyLevel = 5", by always setting WBC_MSV1_0_ALLOW_MSVCHAPV2 for native winbind in rlm_mschap. * TTLS and PEAP now require "virtual_server" to be a real server. * Print WARNING when TTLS or PEAP identities are spoofed or not properly anonymized. See RFC 7542 for requirements. * Various rlm_python fixes from Herwin Weststrate. * Allow setting Response-Packet-Type in "Post-Proxy-Type Fail", which is useful when the home server does not respond. * elasticsearch updates from Matthew Newton Bug fixes * Fix issue where field nas_type would not be accessible via the %{client:} xlat, for clients loaded from SQL. * Fix compatiblity issues with OpenSSL 1.0.2. Ignore calls to msg_callback with 'pseudo' content types. * Data type "ipv4prefix" is parsed correctly. * Use correct talloc context in rlm_exec. Fixes #1338. * Complain in unlang if "else" is used with no previous "if" or "elsif". * Send accounting status packets to the accounting port. Fixes #1364. * Print out CFLAGS when doing "radiusd -Xxv" * Fixed bug with coa/acct stats value #1339. Based on patch from Jorge Pereira. * Fixes for LEAP proxying. Don't use LEAP! * Fix issue with "directory already exists" seen when doing "make install". * Fixed bug with radmin related to the option "stats detail <filename>" * Complain if the detail file reader does not have permission to read the "detail.work" file. Fixes #1398 * Fixed SoH. Attributes were not being copied to the virtual server. * Used a wrong list to global statistics in "stats". * Create EAP-PWD identity correctly. Prevents segfaults. * Dynamically validate authentication types for PEAP and EAP-MSCHAPv2. * Fix includes in installed headers. * OpenSSL 1.0.1f and 1.0.1g do NOT calculate TLS 1.2 keys correctly. See raddb/mods-available/eap, "disable_tlsv1_2" * Allow password change to work for MS-CHAP. This requires 'r=0', because password changes are not retries. * Fix home server fail-over for home servers using TCP and/or RadSec. * Special characters in expanded regexes are now escaped e.g. User-Name containing '.', and comparing /%{User-Name}/, the '.' will now be escaped. See src/tests/keywords/regex-escape. * Use correct authentication vector when sending Access-Reject replies for RadSec. * Set FreeRADIUS-Proxied-To in TTLS again. You should use the "inner-tunnel" virtual server, instead of relying on this attribute. * Fix debugging constants in rlm_perl. Patch from Herwin Weststrate. * Add samba-dev / samba4-dev to debian builds so that rlm_mschap can automatically use the new winbind API. * Automatically skip zero-length attributes when sending packets, instead of erroring out. FreeRADIUS 3.0.10 Mon 05 Oct 2015 15:00:00 EDT urgency=medium Feature improvements * Do more optimization of unlang policies. This makes run-time a bit faster. * Re-name most of the functions in src/lib. Third-party module authors will have to do the same. * More documentation on contributing and how to write modules. * Update radiusd.service for systemd. * Open IPv6 proxy socket if the server is listening on IPV6 auth / acct / coa packets. * Create debian packages for DHCP. Fixes #1125. * Add more tests for "update" section parsing. * Update "man" pages. * Update attributes for Alcatel 7750 * Add dictionary for Boingo Wi-Fi * Add support for DHCP lease queries. See raddb/sites-available/dhcp * On HUP, check all modules for config files which have changed. And only re-load those modules. * Allow FreeRADIUS-Response-Delay(-USec) to be set for RADIUS packets. Patch from Herwin Weststrate. * Documentation fixes from Alan Buxey and Matthew Newton. * Update "logrotate" script. * Added more RFCs to doc/rfc for new standards implemented by FreeRADIUS. * Don't crash when doing "radmin -e "help hup". Patch from Matthew Newton. * The dictionary parser now does more sanity checks, which prevents run-time problems with invalid attributes. * Update debian packages. Patches from Christopher Hoskin. * Many other debian packaging fixes from Matthew Netwon and Herwin Weststrate. * Add "session-state" to Perl. Patch from Herwin Weststrate. Bug fixes * Fix rlm_files so that there are no collisions when loading 10's of 1000's of users. * Fix radclient to use our internal v4/v6 parsing functions. v6 addresses with ports now work correctly. * Fix sending/receiving packet messages to wrap v6 addresses in square brackets '[]'. * Check for sasl/sasl.h when building rlm_ldap, and disable SASL functionality if unavailable. * Fix issue which caused a non \0 terminated buffer to be assigned to attributes if the value being assigned contained an invalid escape sequence. * Fix deadlock when reconnecting connections in the connection pool. * Fix potential overrun in functions that used fr_utf8_char with a non nul terminated buffer. * Fix decoding issue for Tunnel-Password type attributes which were very long. Found by Denis Andzakovic. * Fix radclient issue with TCP sockets on FreeBSD. * The server now creates ${run_dir} and ${logdir} directories in daemon mode, when running as "root". * Handle tags when using maps. Fixes #1191. * Fix crash when CoA packets time out. * Fix parse error in rediswho * Fix regex support in SQL radcheck the "users" file and radsniff. * Register listen xlat earlier, so that it's available when the virtual servers are being parsed. * Parse Ascend-Data-Filter when given as "0x..." * Print Ascend-Data-Filter correctly. Add test cases for both. * Allow old-style clients again. They will be disallowed for 3.1.0 and following. * Complain instead of crash when "else" and "elsif" are in the wrong place. * Clean up memory more aggressively. This lowers the maximum memory used, most typically for TLS based EAP methods. * Prevent the server from unlinking the control socket of an already running instance. * Fallback to using the configured OCSP URL if one exists, and no URL is provided in the certificate. * Return CoA-NAK if proxying CoA fails. Based on patch from Jorge Pereira. * Lower peak memory usage by decreasing size of internal memory pools. * The control socket is now left in place if a second copy of the server is accidentally started. * Allow virtual attributes in "switch", "case", etc. Fixes #1240 and #1265. * Many spell check / typo fixes in comments and example configuration files. * Better handle multiple DHCP listeners. * Don't print secrets for old-style realms. Fixes #1267. * Don't fall through in empty "case" statements. Fixes #1274. * Update EAP-TTLS so that MPPE keys are correctly calculated with TLSv1.2. * Always delete MS-MPPE-* from the TTLS inner tunnel. This allows TTLS / EAP-MSCHAPv2 to work. Fixes #1206. * Fix off by one error that caused some MSCHAP-Error messages to be sent without the password change version (V=3) and the textual message component (M=). * Always include C= V= and M= in MSCHAPv2 errors. RFC 2759 does not say that any of these fields are optional, and not including V= caused errors with wpa_supplicant. * Do not include M= in MSCHAPv1 errors. It's not supported. FreeRADIUS 3.0.9 Wed 08 Jul 2015 12:00:00 EDT urgency=medium Feature improvements * Make "pool" configurations more consistent, and update documentation for them. * Move connection pool logic to "most recently started", instead of MRU. This should help with pool stability. * More VSAs for 3GPP2 * Added examples of multi-value attributes to rlm_perl. * LDAP-Group and SQL-Group attributes are now dynamically allocated. * Only the "sql" module registers SQL-Group. Other instances register "instance-name-SQL-Group", similarly to "ldap". * Unknown attributes are now complained about more often when used in unlang statements. e.g. if (Foo-Bar == 3) used to be a string to string comparison. It is now a parse error. * Rename RLM_COMPONENT_* to MOD_* in the code. This makes many things easier. * Move to C99 initializers for modules. * Load modules in raddb/mods-enabled. This allows attributes like "LDAP-Group" to be used in the "files" module, without explicit ordering or listing in "instantiate". * Added 'bootstrap' section to modules. Third-party modules will need to be updated. * When adding clients from a DB, add them to a virtual server if that virtual server has a "listen" section. Otherwise, add the clients to the global list. * When reading dynamic clients from a file, don't expire them if the underlying file is unchanged. * Allow the server to originate CoA requests from the post-auth stage. * The server creates ${run_dir} and ${logdir} in daemon mode, if they do not already exist. * Add dictionary for Wi-Fi Alliance Hotspot 2.0. The server now supports all mandatory and optional attributes for this specification. * HUP now re-loads the configuration only if the files have changed. If all files are unchanged, HUP re-opens the log file, and does nothing else. * Much better debug messages for EAP-TLS, including which attributes are cached, and when they are retrieved. * Increase default max_requests to 16384. Memory is cheap now. * Added "stats memory" commands to radmin. Debug build only. * Aptilo controller dictionary updates. * SQL modules now use Acct-Unique-Session-Id everywhere. * The redis modules are now stable. * The LDAP module now supports SASL "interactive bind" method. This allows Kerberos based administrator and user binds. * DHCP code is now in libfreeradius-dhcp. * More DHCP encoding / decoding unit tests. * rlm_replicate can now be listed in the "accounting" section. * Better sqlite debugging output. * Remove "required" option from many sql_ippool directives. * Set default CA "basic constraints" to "critical". Fixes #1073 * Updates to help / man pages from Jorge Pereira. * Added more tests. Bug fixes * Be more careful about unused config item warnings when using -Xx. * Move more defines to be auto-generated. * Allow virtual servers in proxy fallback. * Allow %{module:} to work. * Don't crash in RadSec. Closes #980. * Return better errors when a unix group / user is not found. * Re-enable detail module "locking" parameter. * Don't crash when logging replies from Status-Server packets. * The couchbase module now uses "update" instead of "map", for consistent with the rest of the server. See raddb/mods-available/couchbase * Don't require NT-Password for MS-CHAP password changes. * Be a bit more careful about decrypting MS-CHAP-MPPE-Key attributes. Closes #1013. There is no perfect fix, tho. * Fix security issues with EAP-PWD. See http://freeradius.org/security.html#eap-pwd-2015 * Fix dynamic clients read from SQL in non-debug mode * MS-CHAP now allows retries (i.e. password change) when passwords are expired. * Allow "user=radiusd" when the server is already user "radiusd" * suid up/down works on non-Linux systems. This means that the control socket should have the correct ownership. * Fix issue which caused the server to sometimes have problems when a home server was marked zombie. * Fix format.pl because Perl is now more picky. * Fix proxy to Packet-Dst-IP-Address, so that it uses the correct destination port. * Fix corner case with cursor functions and removal. * OpenDirectory fixes and documentation. * Fix leaks in rlm_redis. * RFC 6929 "evs" attributes are now encoded / decoded properly. * Fix talloc pool leaks when receiving malformed or retransmitted Accounting/CoA requests. * Printed attributes again use double quotes instead of single quotes. * Set X509_V_FLAG_CRL_CHECK_ALL, and add "check_all_crl" to eap.conf. Fixes oCert CVE-2015-4680. * rlm_expr now errors out correctly on malformed attribute references instead of triggering an assert. * Make "break" work in "foreach" loops * Allow dynamic expansions to work again in the "hints" file. * Correct minor typos in comments and examples from Alan Buxy. * Re-urlencode the path portion of ldapi:// urls before passing it to ldap_initialise. FreeRADIUS 3.0.8 Wed 22 Apr 2015 13:30:00 EDT urgency=medium Feature improvements * Allow syslog_severity to be set in rlm_linelog. * Allow defaults to be set for bulk clients in LDAP and couchbase. * Updates to dhcpclient. Patches from Nicolas C. * rlm_mschap now supports direct connections to winbind, which is faster than ntlm_auth. See raddb/mods-available/mschap. Patch from Matthew Newton. * Recommend /dev/urandom for TLS randomness, instead of ${certdir}/random * Allow TLSv1 to be disabled via "disable_tlsv1" in tls{}. * Allow Expanded EAP types where vendor is 0 (IETF) and type is normal EAP type. Supplicants sending Expanded EAP types like this are broken. * Add support for server side sort controls when searching for user objects in rlm_ldap. Bug fixes * Don't complain about "authorize" in "server {}" blocks, but only if there's no "server" block. * Fix cosmetic issue where debug from the first packet read by a detail reader thread would be emited during config parsing. * Fix ASSERT on truncated detail packets. * Don't use main server log functions from within panic_action, as in the case of syslog this would cause deadlocks if the fault was triggered from within a malloc. * Fix issue in "switch" when "correct_escapes = false". Fixes #911. * Fix sqlcounter configuration to use "%%b" instead of "%b", otherwise the new syntax validation will fail. * Allow forward references in configuration items. Modules aren't always loaded in a sane order. * Fix more escaping issues. Closes #912. * Decode MAC addresses correctly for VMPS. * Fix memory leak with TLS connections. * Fix state machine threading issues for conflicting packets. * Fix copy_request_to_tunnel issues for tagged attributes. * Allow "ok" to over-ride "updated" inside of Auth-Type sections. * Update state machine so that post-proxy is run though child threads for performance, instead of blocking the main thread. * Allow "netmask" to work again in client definitions. * Relax restrictions on SQL group queries. * track outgoing proxy sockets and clean them up more aggressively. * track proxy statistics, including CoA and Disconnect. * If radmin has a connection failure when running a command, it re-connects and runs the command again. * mark home servers "unknown" less aggressively. * Fix potential SEGV in PostgreSQL driver on error. * Fix issue where fields like nas_type would not be accessible via the %{client:} xlat, for dynamic clients. * Set default busy_timeout (of 200ms) in the sqlite driver, so writes don't cause selects to fail in multithreaded mode. This is user configurable, and may be increased if required. * Convert Password-With-Header attributes to binary (from hex or base64), in the authorize method of rlm_pap. * Fix invalid assert in state.c, that could cause abort in post-auth. * Fix double free when -m flag is used, and connection pools are referenced by multiple modules. * RADIUS over TLS accounting uses the same port as authentication. * Regularized return codes from radmin commands. * Fix RHEL spec file so it works correctly for Centos7 which uses systemd, and didn't like the SystemV init script. * radwho and radlast now have a -D option to load dictionaries * DHCP packets are no longer checked for duplicates. * Don't crash in sql module group comparisons in corner case. * Calculate MPPE keys correctly when using TLS 1.2. * Fix load-balance sections. Closes #945 * TLS certificates are available again in the post-auth section. They are not available for session resumption. * radclient encodes CHAP-Password properly when using -c. Closes #955. * Fix issue in rlm_cache_memcached driver that caused variable length values to be truncated. * Fix track functionality in detail reader, so it no longer fails with a "Failed marking detail request as done: Bad file descriptor" error. * Actually add the peer identity (as User-Name) to the inner tunnel in EAP-PWD requests, so it's available for lookups. * Fixes to PostgreSQL queries. Patches from Santiago Gimeno. FreeRADIUS 3.0.7 Thu 19 Feb 2015 12:00:00 EDT urgency=medium Feature improvements * Allow coa home_servers to be derived from client sections if a coa_server section is provided. * Automatically determine the correct port if no port is provided for a home server. * Allow foreach to operate over lists. * Add compile time features to ${feature.*} and versions of core libraries to ${version.*}. Feature and version names match output of radiud -xv. %v is now deprecated. * Add support for PATCH method in rlm_rest. * Validate more module xlats on startup, and warn if an xlat expansion is found in a double quoted config item which will not be expanded. * Add support for sub-second timeouts in rlm_rest. * Add support for connection timeouts in rlm_rest. * Add %{jsonquote:<str>} xlat to escape strings for insertion into json documents. * Add %{ldapquote:<str>} xlat to escape strings for insertion into ldap DNs. * Add %{explode:&ref <char>}, splits value of &ref on <char> and creates new &ref type attributes with the fragments. * Allow rlm_ldap to use attribute references for base_dn and filter config items. The attribute references are not escaped, allowing DNs and filters to be created dynamically. * Add %{nexttime:[<int>]h|d|w|y} to calculate the number of seconds before the next <int> hour(s), day(s), week(s), or year(s). * Allow the left side of update sections to be xlat expansions. The result of the expansion is then used to reference the attribute to be modified. * Added %{lpad:&Attribute-Name 7 x} and rpad. These produce fixed-width output strings, with padding to the left (lpad) or the right (rpad). * For some SQL drivers (MySQL, sqlite) distinguish between constraints violations (on insert), invalid queries, and server errors, and return noop, invalid, and error respectively. * Call SHOW WARNINGS in the MySQL driver and write them to the request log, if libmysqlclient indicates warnings are available on the server. * Forbid the creation of Vendor-Specific for non-standard VSAs. Use Attr-26 = 0x... instead. * Make dhcpclient work with raw sockets and various other improvements - Contributed by nchaigne * Add support for SSHA2 - Contributed by PDD. * Add perle dictionary - Contributed by Hachmer * Modernise init scripts for RHEL, SUSE and Debian. * radmin now tracks the return code of commands, and exits with status "1" if any command failed to execute. * radmin now sends error messages from the server to stderr, instead of to stdout. * radmin now looks for sockets matching it's UID and GID, rather than just always using the first one it finds. * radmin can how delete clients which are tied to a listener. * Moved RADIUS attribute definitions to src/include/rfc*.h * Move to talloc pools for requests. For in-memory tests (default config, 'users' file), performance increases by 30%. * In rlm_ldap allow sasl_mech to be specified for admin and user binds. Only non-interactive mechs (like EXTERNAL) are currently supported. * Remove support for ephemeral RSA keys. They were "export only", and should not be used by anyone. * Syntax errors in the "users" file now produce better error messages. Bug fixes * Fix issues parsing LDAP hostnames with non-standard ports. * Fix issues with realms containing regular expressions. * Allow unary negation before parantheses in rlm_expr. * Fix infinite loop in kevent event loop code. Issue only presented on FreeBSD. * Be more careful to define Auth-Types before loading modules. * Link libfreeradius-radius against OpenSSL too, to avoid multi-version symbols in SSL libraries. * When rlm_ldap rebinds a connection, it should use bind credentials from the module that created the connection pool, not credentials from the module referencing it. * Empty server config pairs should be allowed in rlm_ldap instances that reference another module's connection pool. * Mark rlm_always as huppable, so its rcode can be changed via radmin (allows policy toggles). * Emit warnings when ignoring user configured pool values. * Fix issue that would cause radclient to complain intermittently about differing numbers of filters and requests. * Fix cosmetic issues in connection pool logging, that made it appear as if the same connection was being opened multiple times. * Fix threadsafety issues in SQL drivers, where a static buffer was used to store error messages. * Log RERROR, RWARN, RINFO to the global log if request logging is not enabled. * Link to libldap instead of libldap_r. libldap_r is not supported for use by projects outside of OpenLDAP. * Set connection timeout correctly in rlm_sql_mysql. * Build with older versions of libcurl, and use CFLAGS from curl-config. * Honour Packet-Src-Port and Packet-Src-IP-address in radclient. * Initialise ldapai_info_version field, so libldap will report its vendor and version. * Fix log rotation scripts by using the copyrotate option. * Fix issue that caused opening control sockets to always fail on non-Linux systems, if a user or group was set. * Save Session-State after proxying. * Additional fixes for reading CoA/DM requests from detail files. * Create dynamic clients if the dynamic clients virtual server returns ok *or* updated. Emit useful messages for other codes. * Compile bare "authorize" statements, and issue errors saying using them isn't a good idea. FreeRADIUS 3.0.6 Wed 17 Dec 2014 16:00:00 EDT urgency=medium Feature improvements * radmin / raddebug conditional errors are printed to the output, instead of being discarded. * raddebug will exit if condition set with -c was invalid. * radmin auto-reconnects if the connection to the server has gone away. * rlm_cache now has submodule support. See raddb/mods-available/cache * New memcached driver for rlm_cache. See raddb/mods-available/cache * Add support for &Attribute-Name[*] in conditions. See "man unlang" for details. * Add &Attribute-Name[n] which gets the last instance of an attribute e.g. Module-Failure-Message[n]. * Allow for redundant string expansions. See the "instantiate" section of radiusd.conf. * When checking IP addresses in conditions, make the right side be parsed as an IP prefix. * Support JIT compilation of compiled regular expressions when built with libpcre. * Support named capture groups with "%{regex:<name>}" when built with libpcre. * Increase regular expression capture groups from 8 to 32. * Emit error markers for badly formed regular expressions. * Allow 'm' flag to enable multiline mode in regular expressions. * Support limited implicit attribute conversion in update sections. * Support casting between IPv6 and IPv4 where the IPv6 address has the v4/v6 mapping prefix (::ffff:). Bug fixes * PEAP works again. As does proxying EAP-MSCHAPv2 from inside of a PEAP tunnel. * "group" is allowed inside of "instantiate" sections. * update disconnect {} with disconnect:Packet-Dst-IP-Address now works correctly. * Regular expression comparisons of non string attributes are now disallowed in the files module. Previously they would silently fail or produce undefined behaviour. * Fix parsing of old regular expressions. Closes #842 * Fix off by one error in ascend filters. Closes #843. * Handle NT-Hash in rlm_pap. This allows passwords to have backslashes in them. * Fix infinite loop on "Fall-Through = yes" when processing SQL groups. * Correct the check of SQL query return code. * Run "Post-Auth-Type Reject" if the request was rejected in post-auth * Write "Login OK" only if the post-auth section passed. * Create TLS-Cert-* certificates, even when EAP session caching is disabled. * Finalize the "correct_escapes" with many more tests. * Move to the new OpenLDAP libldap API, fixes more issues with binary values. * Fix potential memory corruption in rlm_ldap if start connections were set to 0, and the server was running in threaded mode. The fix is a workaround for an issue in libldap and was suggested by Howard Chu. * Give parse errors on "%{...", without the closing brace. * Allow spaces in certificate passwords for build rules in raddb/certs// * Make all regular expression evaluation binary safe. Where that's not possible, emit an error if the pattern or subject contains an embedded null byte. * Fix various issues around masking IPv6 addresses. * Give descriptive error if unknown attributes are used in "update" sections. * Deal with cases where ldap_initialize isn't available gracefully, and use it exclusively when it's available. FreeRADIUS 3.0.5 Fri 21 Nov 2014 15:30:00 EDT urgency=medium Feature improvements * Large update to Huawei dictionary. * Added dictionary.rfc7155 * Regular expressions like /%{User-Name}/ are now parsed and validated when the server starts. * All configuration items which are dynamically expanded are now parsed and validated when the server starts. * %{expr:...} expressions can now do bit shifting and more. See raddb/mods-available/expr. * The detail file reader can now track packets which have had replies, so they are never re-transmitted. See raddb/sites-available/buffered-sql, the "track" config item. * CoA and Disconnect packets can now be sent to a specific home server by setting control:Packet-Dst-IP-Address and (optionally) control:Packet-Dst-Port. * Allow CoA and Disconnect packets to be read from the detail file. * Allow LDAP to specify arbitrary attributes for dynamic clients. * Convert all unused attributes in the control: list to config pairs in dynamic clients. This allows arbitrary client attributes to be set for dynamic clients too. * rlm_couchbase now supports bulk loading of clients on startup in a similar way to rlm_ldap. Contributed by Aaron Hurt. * Allow one level of backslashes (finally). See radiusd.conf, "correct_escapes" setting. * Rename dictionary.redback to dictionary.ericsson.ab * Add --disable-openssl-version-check option to configure. So vendors can disable the check. Patch from Nikolai Kondrashov. * Do context-specific indenting in debug messages. This makes the debug output easier to read. * Make configuration a separate RPM, just like for Debian. * better decoding of unknown VSAs * When supported by OpenSSL, allow TLS 1.1 and TLS 1.2 in EAP methods. * Allow multiple new connections to be spawned simultaneously in the connection pool, to cope with spikes in traffic. * Document retry_delay in connection pools. * Allow checksimul in rlm_couchbase. * Use kqueue on systems which support it. This allows for better scaling when using many sockets. Bug fixes * Parse list qualifiers in generic LDAP 'valuepair_attribute' attributes correctly. * Fix issue where prefix length would be ignored for dynamic or static clients if the address matched INADDR_ANY (0.0.0.0). * Allow null user object filter in rlm_ldap, it's valid to specify a complete object DN and use the base scope. * Don't SEGV if a received attribute value in a JSON structure is null, or a value can't be stringified. * Don't assert if the server returns a JSON content-type and the server hasn't been built with support for JSON. Closes #808. * Set CURLOPT_NOSIGNAL to prevent curl from handling signals and causing a longjmp error when the server was running with threads. * Allow tabs after attribute names in the "users" file. Closes #796. * Free unknown DICT_ATTRs. Closes #795 * Handle unknown attributes in the conditions and "update" sections. e.g. Attr-1.2.3.4 = foo. * Use correct array size for MS-CHAP new password. * In rlm_rest, check for older versions of libraries at start time, rather than when a packet comes in. * Don't call detach on parse error in rlm_perl. Closes #802. * Integer fixes for big-endian systems. Closes #803. * Don't optimize %{Packet-Src-IP-Address}. Closes #804. * dhcpclient loads dictionaries correclty. Closes #805. * double quotes are no longer escaped in single-quoted strings. e.g. 'foo "hello" bar'. * Fixes for proxying to virtual servers broke the detail file reader. Now they both work. * Typos and fixes from Nikolai Kondrashov. * Fixes to OpenSSL version checks, for cross-platform issues. * cppcheck fixes from Herwin Weststrate. * Fix build for OSX Yosemite * Merge DHCP sub-options. Closes #812. * Fix decoding of Starent attributes. * When a module asks for a connection, don't return idle connections. * LDAP connection timeouts will now retry, instead of failing. * Prevent race conditions between fork and wait for child. Patch from James Rouzier. * Fix triggers for connection pools. Patches from Nikolai Kondrashov. * Fix SEGV when comparing non string type check items. * Build with newer versions of libmysqlclient. * make the %{escape:} and %{unescape:} xlat functions UTF8 safe. * Don't escape UTF8 chars in SQL query strings. * Fix issue in cached LDAP group comparisons, which caused checks to sometimes fail. * Fix use after free issue in unlang switch evaluation. * Respect operators in rlm_cache when merging into the current request. * Update Cache-Entry-Hits each time rlm_cache is called. * Produce WARN messages if SQL queries are empty strings. * Fix invalid assertion when proxying CoA requests. * Allow empty strings in "case" statements. Closes #836. * Normalize escaping for string expansions. i.e. don't do double escaping in rare situations. * Normalize LDAP escaping. LDAP servers have multiple ways to escape things, so the data has to be normalized before we can compare two LDAP DNs. * Don't go to high debug level if we're proxying inner EAP as EAP. Closes #839. * Fix rlm_rest state handling. Closes #835. FreeRADIUS 3.0.4 Wed 10 Sep 2014 12:00:00 EDT urgency=medium Feature improvements * Home server "response_window" can now take fractions of a second. See proxy.conf. * radmin now supports "show module status", as thee counterpart to "set module status" * Added dictionary ericsson.packet.ccore.networks, bluecoat, citrix, compatible, riverbed, ruckus, and RFC 7268. * Add %{tag:} expansion to get the tag value of an attribute. * Report 'application_name' in connections to PostgreSQL servers. FreeRADIUS connections will now appear as 'FreeRADIUS <version> - <name>' in pg_stat_activity. * All config item fields are now type checked at compile time to prevent issues similar to #634 occuring again. * Modify pairparsevalue to deal with embedded NULLs better, and use the binary versions of attribute values in rlm_ldap. * "ipaddr" will now use v6 if no v4 address is present. You should use "ipv4addr" or "ipv6addr" to force v4/v6 addresses. * The above applies to "listen", "home_server", and "client" sections. * "client" sections will allow "ipaddr = 192.192.0/24". The old "netmask" is still accepted, but the new format is preferred. * Allow custom HTTP headers to be set for rlm_rest requests using control:REST-HTTP-Header (attributes consumed after use). * Extend format of %{rest:} expansion to allow HTTP method and POST data to be specified e.g. %{rest:POST http://example.org/api foo=bar&baz=boink}. * Add %{hmacsha1:&data &key} and %{hmacmd5:&data &key} expansions for signing data in requests. * rlm_cache now consumes its control attributes to make runtime configuration easier. * Add control:Cache-Read-Only which when set to 'yes' will make the cache module merge existing cache data, but not create new entries. * Add %{unescape:} and %{urlunquote:} expansions to reverse escaping and urlquoting. * Add support for aliases in rlm_ldap. * Add support for connection pool sharing to all modules that use the connection pool (pool = <instance>). * "tls" sections now have a "psk_query" configuration item, for dynamic queries to discover a key from a PSK identity. * Preliminary support for EAP channel bindings. * Foundational work for dynamic home servers. They do not yet work, but this is now only a matter of updating the "realm" module in a future release. * Support &attr[*] syntax to copy all instances of an attribute when used with the += operator in an update section. May be qualified with a tag. * The logintime and expiration modules can now be listed in the post-auth section. This makes some configurations simpler. * Allow comparison of integer attributes of different sizes, without requiring a cast. * rlm_sqlippool is now IPV6 capable. Set "ipv6 = yes" to get Framed-IPv6-Prefix returned. The SQL queries have NOT been updated. Please submit patches. * The debian build now checks for the OpenSSL package with the heartbleed fix, and if found, sets: allow_vulnerable_openssl = 'CVE-2014-0160' * allow bootstrap from multiple files in sqlite driver. Bug fixes * make case-insensitive regular expressions work again, and add tests for them. * A few more talloc parenting issues * Fix delayed proxy reply handling. Closes #637 * Fix OpenSSL initialization order when using RADIUS/TLS. Fixes #646 * Don't double-quote strings in debugging messages * Fix foreach / break. Fixes #639 * Chargeable-User-Identifier, ADSL-Agent-Circuit-Id and ADSL-Agent-Remote-Id should be "octets" types in the default dictionary. * Fix typo in mainconfig. Fixes #634 * More rlm_perl fixes. Fixes #635 * Free OpenSSL memory on clean exit. * Fix <attr>[0] !* ANY - Was removing all instances of <attr> * Fix case where multiple attributes were returned from RHS of mapping, as with rlm_ldap. Fixes #652 * Fix corner case in cursor where using fr_cursor_next_by_da after calling fr_cursor_remove may of resulted in a read of uninitialised memory. * Don't SEGV if all connections to a database server go away. Fixes #651. * Fix issue where <attr> -= <value> was not removing tagged instances of <attr> equal to <value> (only untagged). * Fix issue where tag values were not being set on attributes created with unlang/ldap update blocks. * Create rlm_sqlcounter attributes as integer64 types instead of integer types, so large counter values can be specified. * Fix issue where specifying a dynamic client IP addresss using FreeRADIUS-Client-IPv6-Prefix or FreeRADIUS-Client-IP-Prefix may have caused a validation error. * Don't print two "&" for messages about attribute or list references in debug output. * Fix urlquote and escape to encode Unicode characters correctly. * Fix redundant-load-balance blocks to try other modules in the group if one fails. * Fix issue with rlm_pap password normalisation where 'known good' password strings stored in octets type attributes, would be sometimes misnormalised as base64. * Don't stop processing DHCP options if we find a 0x00 padding option. * Fix issue where modifying the value of an attribute created from a template with a literal value, may have resulted in the template literal being freed. * Fix parenting issues in tls code which may have resulted in memory corruption and crashes. * Fix issue in radsniff where writing to PCAP files and using -R response filters, where the requests would still be written to the PCAP for non matching responses. * Define __APPLE_USE_RFC_2292 so that the server builds with IPv6 support on OSX. * Fix LDAP group lookups for named rlm_ldap instances. Note that attribute references should be used when checking LDAP-Group attributes. e.g. if (&LDAP-Group == 'foo'). * Delayed attribute references can now be used in unlang existence checks. i.e. if (&Attribute-Name) { ... } * Fix issues in EAP-PWD. CVE-2014-4731, CVE-2014-4732, and CVE-2014-4733. There is no external authentication bypass. * Fix a number of uses of the talloc parent/child reference. * Release connection used for reading bulk clients in rlm_ldap. * rlm_rest is now fail-safe if it's used without any configuration * Pull in build fixes for FreeBSD from ports. * Fix error in sqlite postauth query * Evaluate argument to "switch" statements once, instead of for each "case" statement. * Define sig_t on systems without it. Closes #765. * Fix boundary issue with rlm_rest. Closes #768 * Optimize "%{Attribute-Name}" in comparisons only if the dictionary types match. * Don't do chmod() in rad_mkdir() if the directory already exists. We might not have permission to change it. * Use getpwnam_r() and getgrnam_r() on systems which support it. Closes #775. * Clients loaded from SQL are now tied to the "listen" section of a virtual server, instead of being global. * Check for -lpcre. The system might have pcre.h without -lpcre. * When proxying to a virtual server, use the proxy_reply instead of ignoring it. * Fixed typos in DHCP SQL IPPool. * Fix crash when passing multiple arguments to Perl xlat. FreeRADIUS 3.0.3 Mon 12 May 2014 15:30:00 EDT urgency=medium Feature improvements * Everything now builds with no warnings from the C compiler, clang static analyzer, or cppcheck. * rlm_ldap now supports defining the LDAP attribute name via backticked expansion (i.e. shell command) in RADIUS <-> LDAP mappings. * rlm_ldap now supports older style generic attributes. * dynamic expansions (e.g. "%{expr:1 + 2}" are now parsed when the server starts. Syntax errors in the strings are caught, and a descriptive error is printed. * Static regular expressions (e.g. /a*b/) are now parsed when the server starts. Syntax errors in the strings are caught, and a descriptive error is printed. * dynamic expansions are cached after being parsed. They are no longer re-parsed at run-time for every request. * regular expressions are now parsed and cached when the server starts. * Added the %{rest:} expansion to rlm_rest, which will send a GET request to the URL passed as the format string. Any body text will be written to the expansion buffer. * rlm_rest now available as a debian package. * When an 'if' condition statically evaluates to true/false, unlang does more static optimization. For examples, see src/tests/keywords/if-skip * All modules are marked as safe for '-C', which lets the dynamic expansion checks work in more situations. * Added 'none' and 'custom' rlm_rest body types. 'custom' allows sending of arbitrary expanded text and content-type headers. * Added "config" section to Perl. See mods-available/perl * Added '%v' which expands to the server version - Patch from Alan Buxey. * more mis-matched casts are caught in "if" conditions, and descriptive errors are printed. * Support basic response validation in radclient. This allows administrators to write local test cases for their site-specific configurations. * Removed radconf2xml and radmin "show client config" and "show home_server config". * Forbid running with vulnerable versions of OpenSSL. See "allow_vulnerable_openssl" in the "security" subsection of "radiusd.conf" * Catch underlying "heartbleed" problem, so that nothing bad happens even when using a vulnerable version of OpenSSL. * Add locking API for sql_null, linelog, and detail modules, which should improve performance and work around issues on platforms with bad file locking. * Allow DHCP NAKs to be delayed, via setting reply:FreeRADIUS-Response-Delay = 1 * Allow tag and array references anywhere attributes are allowed in "unlang". * many enhancements to radsniff, including output to collectd, ipv6 support and packet loss statistics. * Many dictionary updates (ZTE, Brocade, Motorola). * rlm_yubikey now automatically splits passwords from OTP strings. * The detail file reader is now threaded by default. This should improve performance reading the files. Bug fixes * Fix xlat expression %{attribute[n]} so that it actually returns the n'th attribute instead of the first one. * Don't parse string on RHS of update {} when using unary operators (!*). The RHS should always be ignored. * Check for more optional functions in json-c so we can Build with libjson0, which is the name of the json-c package on debian/ubuntu. * Fix issue in radmin where the main dictionaries would not be loaded which, depending on the configuration, may have caused validation errors. * Fix handling of "%{reply:3GPP-*}" * Fix rlm_perl garbage attributes * Fix oracle SQL queries, which amongst other things still used the old expansion format, which is no longer supported/parsed. * Truncate long format strings and error markers instead of omitting them. * Fix multiple attribute parsing in rlm_rest JSON. * Don't crash in rlm_rest if connect_uri is commented out in the configuration. * Don't double-escape strings to / from Perl. You may need to double-check your Perl scripts if they use "\" characters. See mods-available/perl for documentation. * Don't re-run "authorize" if a home server fails to respond. * Don't append "0x" to hex output of octets types, for xlat expansions. This is the same as v2, and makes it easier to concatenate multiple attributes of type "octets" * FreeBSD fixes for execinfo linking. * Make some of the module configurations more consistent. * Fix corner cases where STDOUT wouldn't be closed in daemon mode. * Re-enable "update coa" and originating CoA requests. * Prevent multiple threads writing to the sql query logs. * Fix zombie period calculation. Closes #579 * Properly parent VPs for talloc, when moving them in map2request. * Various fixes for talloc parent / child relationships * Allow rlm_counter to support VSAs. * Normalize return codes for many modules. "do nothing" is noop, not "ok". * Run Post-Proxy-Type Fail. Closes #576 * Fix DHCP destination port for replies to relays. Closes #591 * Do-Not-Respond policy works again Closes #593 * Proxy-To-Virtual-Server works again. Closes #596 * Build fixes for ancient systems. Closes #607, #608, #609. * %{Module-Return-Code} works again. Closes #610. * Don't increment statistics for Status-Server responses. Closes #612. * A duplicate request isn't a duplicate if the original one is marked "done". This should lower retransmissions from clients. * Fix multiple regular expression and glob memory leaks. * Don't allocate any memory in fr_fault() as it can cause malloc to deadlock. * Temporarily set dumpable flag before calling system in fr_fault() else the debugger may not be able to attach. * Set nonblock on all TCP client sockets. * Fix minor buffer overrun in mschapv2 where some attribute strings were not correctly \0 terminated. * Fix crash on authentication failure with MIT kerberos. * Fix code so that octal escape sequences aren't prematurely unescaped in rlm_sql, radclient, preprocess, and other places. This may require configuration changes, as these sequences will no longer need double escaping (\\) of the backslash. * The connection pools no longer have one connection used twice in certain rare conditions. * Use self pipes for internal signals. The code was there, but was unused. * Don't crash if there are outstanding EAP sessions and were told to exit gracefully. * Fix typo in dictionary.rfc4072 FreeRADIUS 3.0.2 Fri 21 Mar 2014 08:30:00 EDT urgency=medium Feature improvements * secret keys and LDAP / SQL passwords are now printed as '<<< secret >>>' in debugging mode. Use -Xx to see the actual passwords. * Print out more information about passwords in -Xx, including hashes, comparisons, etc. * Allow cast (and implicit conversion) of integers to IPv4 addresses * More xlats allow attribute references. This means they can operate on binary data. e.g. expr, base64, md5, sha1. * Added more tests. * The dictionaries are now auto-loaded. raddb/dictionary should no longer have $INCLUDE ${prefix}/share/dictionary * A "panic_action" can be set to have the server dump a gdb log on SEGV or other fatal error. See radiusd.conf * Add support for SHA-224, SHA-256, SHA-384, SHA-512 to rlm_pap. * Add "%{sha256:}" and "%{sha512:}" xlat functions. * Cache CUI in EAP session resumption. * templates can now have sub-sections, which will be included in the section referencing the template. * Update more dictionaries. * Added more instances of the "always" module, for all return codes. * Suppress broken NASes when proxying. Retransmits which occur more than once per second are rate-limited to once per second. * Allow '&' in more xlat expansions. * Update PostgreSQL schema and queries to record last updated time, and accounting interim. * Optimize more "if" conditions when the server loads. This will avoid work at run time. e.g. ("foo" == "bar") --> FALSE. * Allow removal of all attributes within a list with !* operator. * Allow list to list copies with request qualifiers (outer.). * Add support for ipv4 prefixes and ipv6 addresses and prefixes to %{integer:}. * allow radmin command "set module status <module> <code>" which can be used to forcibly enable/disable modules. * pap module now assumes Cleartext-Password if Password-With-Header doesn't have a {...} header. * Added "unpack" module. It can unpack binary data from horrible VSA formats. See raddb/mods-available/unpack * Added example IP Pool for DHCP, using sqlite. From Matthew Newton See raddb/mods-config/sql/ippool-dhcp/ Bug fixes * Fix SQL groups. * Fix operation of fr_strerror() with RE*() macros. * Don't assert if the connection we're trying to reconnect is not in_use. * Fix %{mschap:User-Name} xlat. * Allow comparisons of signed integers and of ethernet addresses. * Fix parsing of text-based ascend binary filters. * Fix a few minor Coverity and clang analyzer issues. * Log WARNING and ERROR prefixes only once, not twice. * Fix attribute truncation seen in Perl and other places. * Use correct port when DHCP relaying. * Fix behaviour on FreeBSD where sending packets from an interface bound to an IP address would fail when the server was built with udpfromto. * Don't abort() when freeing home servers on exit. * Fix edge case in pairmove() when some attributes could be over- written. * Do checks for individual sqlite v2 functions so rlm_sqlite builds correctly with more versions of the library. * In heimdal kerberos, create MEMORY ccaches on a per context basis. This prevents issues with the root ccache being used. * Fix corner case with proxying, where home server goes down. * Rate-limit "max_requests" complaint. We don't want to fill the logs when something goes wrong. * Use /dev/urandom for raddb/certs/random, if it exists. * Issue WARNING that old-style clients should no longer be used. * Auto-set secret to "radsec" for tcp+tls home servers. * Fix double free in home_server_add when there is a parse error on startup. * rlm_unix checks if the dictionaries are broken, instead of crashing * Fix potential memory corruption when normalising salted password hashes from hex, where the combined hash and salt was > 64 bytes. * Register sqlcounter attributes correctly, and other issues with it * treat 127.0.0.1/32 as being identical to 127.0.0.1 * Don't mangle error output of SQL drivers like PostgreSQL * Fix usage of "tls = ${tls}". It could previously cause problems when the reference was used multiple times. * Fix TLS session leak for incoming sockets. * Try harder to clean up memory on exit when using "-mM" * Fix memory leak when home server is down for RadSec connections * rate-limit outgoing connection attempts when the home server is down. It will retry no more than once per second. * When parsing ipv6 address prefixes, always mask off the host portion. * Fix rlm_counter so that it does not create two reply attributes. * Fix issues with DHCP Sub-TLVs where the value of the first Sub-TLV would appear corrupted, and subsequent TLVs would not appear in debug output. * Initialize scope in IP address parsing * Prevent vendor attributes and RFC space attributes from clashing in rlm_attr_filter. * Set source IP address for DHCP packets from DHCP-Server-IP-Address, or DHCP-DHCP-Server-Identifier, if we're unable to otherwise determine the source IP. * Fix POST attribute parsing in rlm_rest. * Fix JSON attribute parsing in rlm_rest. * Don't append trailing & to POST options in rlm_rest (minor). * Process HTTP 100 Continue messages correctly in rlm_rest * Fix generation of long > 512 byte POST payloads, where attribute values on the chunk boundary may have been omitted in rlm_rest. * Remove duplicate escape sequence parsing in rlm_sqlippool and rlm_sqlcounter which caused issues with escaping %. Escape sequence parsing is now handled purely by the xlat functions. * Ensure %% is treated as a string literal, and so not passed to any xlat escape functions for processing. * Correct calculation of Message-Authenticator for CoA packets. Closes #556 FreeRADIUS 3.0.1 Mon 13 Jan 2014 14:30:00 EDT urgency=medium Feature improvements * Add "timeout" to exec, and "ntlm_auth_timeout" to mschap. So that run-away child processes are caught earlier. * Allow TLS clients to use "proto = tls", in which case TLS is required. The shared secret is then set to "radsec". * More documentation in the tls virtual server. * Add "date" module for date formatting. See raddb/mods-available/date. * Added unit test suite for internal server functionality * When loading "update" sections, check if the RHS is a literal value. If so, syntax check it immediately. * Update LDAP module documentation and functionality. The generic attribute can now update lists. * Updated dictionary.extreme. * Update sqlippool to do clears as a separate transaction, and at most once per second. This should help MySQL. * Respect control:Response-Packet-Type for all types of requests. * Add support for SSL encryption to the MySQL driver. * Allow arbitrary connection parameters to be used with the PostgreSQL driver. * Changes to the OpenLDAP schema to fully expose functionality of the new LDAP module. * Update debian packaging to include a freeradius-config package. This package may be provided as a site local package to avoid fighting with the preinstalled config files. Bug fixes * Use correct field for ARP setting in DHCP. * Fix crash on debug condition (#454). * Fix a number of minor issues caught by the clang analyzer. * Set WARNING messages to yellow instead of normal text. * Correct debug colorise logic. Patch from Phil Mayers. * Encode attributes of type "ethernet". No one uses them, but it makes sense. * Work around regex initialization issues. * Fix build when linking against OpenSSL. * Print IDs as positive numbers, which helps for large DHCP XIDs. * Fix issue with sql_ippool. * sqlcounter now uses 64-bit counters, to deal with 4G overflow. * Fix issues with DHCP subsystem. * Don't build / install disabled modules, or their config files. * Fix build for OSX Mavericks, which hid the header files in a magical place. * Fix LEAP buffer issue. You should still avoid LEAP. * Mark "unknown" WiMAX attributes as being WiMAX. * Fix typo in packet decoder for fragmented extended attrs * RPM spec fixes. * Fix rlm_perl build issues when not using threads. * Enable %{Response-Packet-Type} again. * Update configuration file parser to handle "bool" consistently. * Update declarations of global boolean variables to use "bool" consistently. This fixes an issue where some modules were instantiated in "config check" mode and did not work correctly. * Make more messages debug instead of info, to avoid polluting the logs with messages that can't be fixed. * Set operator in internal unlang code to suppress spurious warning messages. * Fix debian packaging. * Added "status" to Debian init script. * Fix "update outer.request" to update the outer request. * Don't print TLS debugging messages when not in debug mode. * Correctly manage counters for "limit" sections of TCP / TLS "listen" sockets. * Fix libldap debug output. * Fix rlm_ldap tls functionality. * Initialise OpenSSL globals early to avoid issues with the PostgreSQL library. * Fix typo in sqlcounter expansion code. Fixes #463 * Overwrite previous instances of SQL-User-Name when adding it to the request. * Work around bugs in both MIT and heimdal versions of krb5_copy_context(), which caused segfaults in multithreaded mode. * Provide meaningful error messages if Heimdal krb5 is used. * Fix attribute supression in rlm_detail. * Exit with error code if child fails to complete server initialisation after forking. This allows init scripts to correctly report whether the server started ok. FreeRADIUS 3.0.0 Mon 7 Oct 2013 15:48:14 EDT urgency=medium Feature improvements * Documentation for upgrading from 2.x is in raddb/README.rst Please follow it. It will make the upgrade easier. * Moved configuration entries in radiusd.conf to make more sense. * Added the "integer64" and "ipv4prefix" data types. * Added RADIUS over TLS (i.e. RadSec). See raddb/sites-available/tls * Updated internal API to support new attributes and formats * Added code to send SNMP Traps. See raddb/trigger.conf. * Added preliminary support for Apple's Grand Central Dispatch * Added provisions for raddb/dictionary.local, for local changes. See raddb/dictionary for more details. * Added packet/s tracking. See max_pps in the "listen" section. * The %{} expansions and "unlang" conditions are now parsed at server start. Descriptive errors are produced for syntax and format errors. * Casting is now supported for "unlang" comparisons. See "man unlang" e.g. <ipaddr>127.0.0.1 == Framed-IP-Address. * Direct comparison of attribute references is now supported. e.g. &Foo == &Bar. This avoids stringification of the attributes. * Direct assignment of attributes is now supported. e.g. Foo := &Bar. It also works for "octets" data types. * Comparisons of IPv4 and IPv6 prefixes are now supported. The "<" operator means "within the prefix" for comparisons. * New sha1 xlat expansion (thanks to Alan Buxey) * Colourised log messages when logging to stdout. Look for yellow warnings and red errors. Doing this will save you a LOT of grief. * If the PCRE library is available, use it (insted of the POSIX functions) to process regular expressions (thanks to Phil Mayers). * -xv now displays all the features the server was built with, and the versions of the core libraries (libtalloc, libssl). Module Changes * Moved raddb/modules/ to raddb/mods-available/, and raddb/mods-enabled/, following the examples of other projects. * Additional files for each module are now in raddb/mods-config/. See raddb/mods-config/README.rst for documentation. * Moved "users" to raddb/mods-config/files/authorize * Moved "hints" and "huntgroups" to raddb/mods-config/preprocess/ * Moved eap.conf to mods-available/eap * Moved sql.conf to mods-available/sql * Moved TLS configuration for EAP into a common subsection. See raddb/mods-available/eap, "tls-config" section. * Added for MS-CHAP Change Password from Phil Mayers. See raddb/mods-available/mschap, "passchange" subsection. * Added EAP-PWD implementation from Dan Harkins * Added connection pools for modules. This unifies connection management which was previously different for different modules. * SQL now uses the connection pool. See mods-available/sql * SQL now supports arbitrary Acct-Status-Types. These changes are not compatible with 2.x. * SQL now has full support for SQLite. See raddb/sql/main/sqlite/ * SQLite supports auto-creation of new databases on server startup for bootstrapping purposes. * LDAP now uses the connection pool. The LDAP module has been completely re-written for performance and simplicity. * LDAP now caches groups. This makes multiple group checks MUCH faster. * Removed all limitations on 253 octet attributes. RFC 6929 allows for attributes up to 4K in length. * New rlm_idn module providing an expansion for performing IDNA encoding of internationalized domain names. Thanks to 'skids'. * New rlm_yubikey module to validate yubikey OTP tokens. See raddb/modules/yubikey Bug fixes * All known bug fixes from 2.2.x are included. * Removed "addport" functionality. * Removed many unused or duplicate modules. See raddb/README.rst. Internal / API changes: * All traces of the old build system have been removed. The new build system is faster and simpler. * clang is fully supported. * We now use "talloc" for memory management. A number of new features required this change. Thanks to the Samba people! * Many internal APIs have been updated to use talloc. * New API for iterating over VALUE_PAIRs. This is in preparation for attributes, in version 3.1. * No new code should directly modify any field of a VALUE_PAIR. * VALUE_PAIRs contain pointers to DICT_ATTR instead of containing attribute and vendor fields. This will allow nested attributes. * Some protocol specific code has been moved out into proto_* modules. More will come in subsequent versions. See proto_dhcp and proto_vmps. * Standardised internal logging macros. radlog() should not be used. See src/include/log.h * Use OpenSSL hashing functions when available. * The server now builds with no warnings on most platforms. * New RADIUS encoder/decoder, to support new formats. * Added RFC 6929 "extended attributes", via the new encoder/decoder. * Added full WiMAX support, via the new encoder/decoder. The old code could not handle some unusual corner cases.