FreeRADIUS 3.0.19 Wed 10 Apr 2019 09:00:00 EDT urgency=high
Feature improvements
* Update dictionary.cisco
* Update sqlippool to allow for stored procedures with
PostgreSQL. This increases performance substantially.
Patch from Nathan Ward. Fixes #2540.
* Re-added "show client config" command to radmin.
* Cleaned up mods-available/sql example so that it is
easier to understand.
* Added pfSense dictionary. Closes #2581
* Update dictionary.h3c Closes #2592
* Update elasticsearch/logstash config for v6.7.0.
* EAP-PWD security fixes from Mathy Vanhoef. See
http://freeradius.org/security/
Bug fixes
* Update dynamic_client module and server core so that
the functionality works. This has been broken since
at least v2.
* Fix crash in sqlippool due to escaping changes.
Patch from Nathan Ward. Fixes #2532, #2533.
* Fix systemd notify, watchdog and unit files.
Fixes #2541, #2499.
* Fix erroneous length check in EAP-FAST.
* Update documentation to remove old "ignore_null"
configuration. Fixes #2578.
* Fix default POD port. Should be 3799. Fixes #2591
* Correctly encode vendor-specific "encrypted" attributes.
Fixes #2600
FreeRADIUS 3.0.18 Mon 25 Feb 2019 15:00:00 EST urgency=low
Feature improvements
* cleanup_delay can now be 30 seconds. This helps
with proxies that have packet loss.
* Do-Not-Respond policies can now be set in the
"post-auth" section.
* Encode / Decode ADSL Forum DHCP options.
* Fix module ordering issues. e.g. when "sqlippool" needs
"sql". See the "instantiate" section of radiusd.conf.
* Add Big Switch dictionary. Fixes #2252.
* Add sql_session_start policy (raddb/policy.d/accounting)
This minimizes race conditions when using Simultaneous-Use
Patch from Philippe Wooding (#2257).
* For rlm_perl, all variables are now tainted by default. See
raddb/mods-available/perl, and the "perl_flags" configuration
item. This change should only affect people who are using
variables in insecure ways.
* Allow "sqlcounter" module to be listed in "post-auth".
* Add support for IPv6 attributes in SQL. Fixes #2280.
Patches from Michael Ducharme.
* The server is better at handling fail-over for outbound
RadSec and TCP connections. Fixes #2284.
* The server is now more aggressive about retrying failed
outbound RadSec and TCP connections. Fixes #2284.
* Add TLS-Session-Version and TLS-Session-Cipher-Suite to
the "session_state" list.
* Add expansion for Radsec connections. "%{listen:TLS-...}"
for TLS-Client-Cert-* and TLS-Cert-* attributes.
* Add notes on running "ldapsearch" using the parameters from
the LDAP module.
* "ipaddr" attributes can now be cast to "integer" type attributes
in an "update" section.
* Move main thread queue to using atomic queues. This should help
with contention in high load scenarios.
* Add "recv_buff" setting to listeners. For more details,
see sites-available/default
* The sqlippool module can now use attributes other than "Pool-Name"
to assign IP pools. The "Pool-Name" attribute is still the default.
* The "unpack" expansion can now unpack substrings. See
mods-available/unpack for documentation and examples.
* The preprocess module now does "ciscvo_vsa_hack" for Eltex-AVPair.
Fixes #2301. Vendors SHOULD NOT USE THAT KIND OF ATTRIBUTE.
* Allow for <instance>-LDAP-UserDN. See mods-available/ldap for
more information.
* Add sanitizing of control list for moonshot. Fixes #2318
* Update rlm_sql_mysql to be compatible with MySQL 8.
Fixes https://bugs.launchpad.net/bugs/1795310.
* Allow logging of only Access-Accept or Access-Reject messages.
See radiusd.conf, "auth_accept" and "auth_reject".
* Removed Connect-Rate comparison. It was unused and broken.
* Add dictionary.infinera.
* RPMs can now change raddb location with rpmbuild parameter
--define '_sysconfdir /etc'
* OpenDirectory module now points to Apple documentation for help
with build and configuration.
* Use OpenSSL HMAC functions instead of local ones.
* Some SQL modules can now use "auto_escape" to escape unsafe strings.
See mods-config/sql/main/mysql/queries.conf
* Add wispr2date conversion in mods-available/date
* Implement dictionary-based handling in rlm_python. Fixes #2334.
See mods-available/python for details.
* Add support for SKIP LOCKED in sqlippool. This can improve
performance by an order of magnitude or more. See
raddb/mods-config/sql/ippool/*/queries.conf
Fixes #2383. Patch from Nathan Ward.
* Updated Debian packages to allow for libssl1.1.
Fixes #2384. Patch from Alejandro Perez.
* Allow PSK and certificates at the same time.
Except for TLS 1.3 which does not support that.
* Update Debian packages for newer releases.
Fixes #2391. Patch from Matthew Newton.
* Update docker scripts. Fixes #2306.
Patch from Matthew Newton.
* Add crypt xlat.
* MySQL connections can now skip verifying the server
certificate. Fixes #2481. See mods-available/sql
* Add better mechanism to detect MariaDB (Old MySQL).
* Add RFC 7532 "bang path" support for realms.
Fixes #2492.
* Update dictionary.ukerna documentation. Fixes #2493
* Add support for systemd service and watchdogs.
Fixes #2499.
* Check for openss/rand.h, and allow building without
OpenSSL engine. Patch from Eneas U de Queiroz.
Fixes #2517.
* The default PosgtreSQL queries now use "ON CONFLICT"
to better deal with issues. This requires PostgreSQL
9.5 or later. Please use a recent version of PostgreSQL,
or edit the default queries to remove "ON CONFLICT".
Bug fixes
* The session-state list is no longer cleaned in the
inner-tunnel. This lets the outer Access-Reject
section access session-state.
* Fix typo in lock initialization for TLS sockets
Found by Sergio NNX.
* Add check for crash when home server down.
Fixes #2233.
* Add username key for postauth table.
* Better libpcap checks, when the header files or
libraries are missing. Fixes #2245.
* Allow building with old versions of OpenSSL.
Fixes #2247.
* Allow non-FreeRADIUS State attributes to be used with
the "session-state" list. i.e. State length != 16.
* Be more aggressive about cleaning up zombie children
when running in debug mode.
* Use LTDL_DEEPBIND, which fixes issues with Oracle
libraries exporting LDAP API functions.
* unlock files when asked to unlock them.
* return error instead of asserting in map code.
* Don't write 0 bytes to SSL. Fixes #2270.
* Remove "expiry_time IS NULL" from allocate_update
query. Fixes #2262.
* Various dictionary cleanups and consistency checks.
Fixes #2281. Patches from Peter Lemenkov.
* rlm_python has stronger thread locking to prevent
reported issues. Performance may be affected.
* Don't allow Message-Authenticator to overflow
past the end of a large packet.
* Fix crash in sqlippool when SQL server goes away.
Fixes #2300.
* Typos in man pages. Patch from Nikolai Kondrashov.
Fixes #2303.
* Check for correct OpenSSL version in vulnerability
list. Patch from Christian Hesse.
* Fix crash with CoA packets/ Fixes #2304.
* Fix crash in rlm_exec with CoA. Fixes #2328.
* Print errors while parsing the log config, and don't
quit when deprecated log settings are found.
* Fix DHCP encoder xlat so that it can be used with
a list of attributes. It previously only encoded the
first member of the list, and now encodes all
members.
* The "expr" module now skips more whitespace.
* Remove internal FreeRADIUS-Response-Delay attributes
from attr_filter Access-Reject.
* Don't send junk to redis when maximum args reached.
* Small updates to IPv6 for accounting schema.
Fixes #2364.
* Fix OpenDirectory integration in rlm_mschap
* Fix slow memory leak with dynamic clients
* Don't artificially truncate debug output for long
strings.
* Fix memory leak in EAP-PWD.
* Fix crash in "hints" file with Fall-Through = yes
* Fix crash / timer issues with many CoA packets.
* Fix attr_filter so that it does not treat
vendor attributes of number 26 as Vendor-Specific.
* Fix reconnect correctly in rlm_sql_mysql.
* Fix rlm_cache to properly use Cache-TTL < 0.
Fixes #2485.
* Fix rare occurance of bad xlat expansion.
* Check for rare race condition when a proxy reply
arrives too late.
FreeRADIUS 3.0.17 Tue 17 Apr 2018 14:00:00 EDT urgency=low
Feature improvements
* Add CURLOPT_CAINFO. Patch from Nicolas C.
#2167
* "stats home server" now supports "src IPADDR",
to specify home server also by source IP. Fixes #2169.
* Add Dockerfiles for a selection of common systems.
* Increase number of permitted file descriptors, for
systems with many home servers.
* Add TLS-Client-Cert-X509v3-Extended-Key-Usage-OIDs.
Patch from Isaac Boukris. Fixes #2205.
* Update main READMEs. Patches from Matthew Newton.
* Added dictionary.mimosa
* TLS-based EAP methods now create TLS-Session-Version
and TLS-Session-Cipher-Suite attributes.
Bug fixes
* Don't call post-proxy twice when proxying to
a virtual server. Matthew Newton, #2161.
* Use "raw" string value for shared secrets and dynamic clients.
It now parses strings with backslashes and "special characters"
correctly. Fixes #2168.
* Fix RuntimeDirectory for RedHat, from Alan Buxey.
* Relax checks in 'if' parser from Isaac Bourkis
* Minor cleanups for %{debug_attr:&request} from Isaac Boukris.
* Be more aggressive about cleaning up cached certificate attributes,
due to deficiencies in OpenSSL. Reported by Nicolas Reich.
* Be more accepting when parsing IPv6 addresses. Bug noted
by Klara Mall.
* Fix double free in rlm_sql. Fixes #2180.
* rlm_detail now writes empty Access-Accept packets.
* rlm_python can now create tagged attributes.
* Don't crash on duplicate realm + authhost / accthost.
Bug found by Richard Palmer.
* Allow partial certificate chain to trusted CA. Fixes #2162
* Treat SSL_read() returning zero as error. Fixes #2164.
* detail writer now checks if the file was renamed or deleted.
* Add User-Name to Access-Accept if EAP-Message exists,
not Stripped-User-Name.
* RedHat Systemd updates. Fixes #2184
* Use correct API for State variable in rlm_securid.
* Remove broken radclient option "-i".
* Fix "users" file (and hints, etc). So that it does not
get confused about entry ordering with multiple $INCLUDEs.
* Fix rlm_sql to expand the un-escaped string, not the raw string.
* Link default and inner-tunnel only if they exist. Fixes #2206.
* Don't use both IP_PKTINFO and IP_SENDSRCADDR.
* Always install signal handler for SIGINT (needed by Docker).
* Fix intermediate CA flow for OCSP. Fixes #2160.
Intermediate certs which are not self-signed will now be
checked.
* sqlippool now returns "fail" if it fails IP allocation.
* Fix rlm_yubikey to look for correct attribute in replay
attack check.
FreeRADIUS 3.0.16 Thu 11 Jan 2018 12:00:00 EST urgency=low
Feature improvements
* rlm_python now supports multiple lists. From #2031.
* Add trust router re-keying. From #2007.
* Add support for Samba / AD LDAP schema.
See doc/schemas/ldap/samba/README.txt and
doc/schemas/ldap/samba/
* Add "tls_min_version" and "tls_max_version" to EAP module
for Debian OpenSSL issues.
* Better documentation for client certificates in PEAP and TTLS:
it usually doesn't work. Fixes #2068.
* Distinguish login failure from AD unavailable. Fixes #2069.
* Update RH spec files. Fixes #2070.
* Run Post-Proxy-Type if all home servers are dead.
Fixes #2072.
* Print offending IP addresses when EAP sessions come from
two upstream home servers, and rate-limit the messages.
* Minor packaging updates.
* Better documentation for rlm_rest.
* EAP-FAST now has it's own "cipher_list", so that it is
easier to configure.
* EAP-FAST now forcibly disables TLS1.2, until such time
as we implement the new keying mechanism from TLS1.2.
* Add documentation for allow_expired_crl.
* Update Debian logrotation. #2093 and #2101.
* DHCP relay can now drop responses. #2095.
* rlm_sqlippool can now assign Delegated-IPv6-Prefix.
It also now can assign any IPv4 or IPv6 address.
Based on patches from maximumG. #2094.
See raddb/mods-available/sqlippool for changes.
* radeapclient can now use EAP-SIM-Ki to dynamically
create the necessary triplets.
* Explain why many LDAP connections are closed.
Fixes #1969.
* Debian build / package issues fixed by Matthew Newton.
* dictionary.patton updates from Brice Schaffner. Fixes #2137.
* Added scripts to build "inner-server.pem", and updated
mods-config/inner-eap and certs/README to match.
* Added provisions for using an external CA. See raddb/certs/
* Include dhcpclient binary in freeradius-dhcp debian packge.
Bug fixes
* Bind the lifetime of program name and python path to the module
FR-AD-002 (redone)
* Pass correct statement length into sqlite3_prepare[_v2]
FR-AD-003 (redone)
* Allow 100-Continue responses with additional headers in rlm_rest.
* fix corner case where detail files were not being locked
correctly.
* Fix (SQL-Group == "%{...}") checks, and same for LDAP-Group.
Fixes #1947
* Clean up exfile code. Which should help to avoid issues
with reading / writing 100's of detail files.
* Fix build for winbind. Patch from Alex Clouter.
* Fix checkrad for Mikrotik. Patch from Muchael Ducharme.
* Fix home server stats lookup. Patch from Phil Mayers.
* Add libjson-c3 as an optional dependency.
* Require LTB OpenLDAP on CentOS / Redhat, to avoid linking
against NSS, which breaks the server. Fixes #2040.
* rlm_python fixes. Fixes #2041
* Typos in "man" pages. Fixes #2045
* Expand "next" in %{%{...}:-%{...}}. Fixes #2048
* Don't add TLS attributes twice. Fixes #2050.
* Fix memory allocation in rlm_rest. Fixes #2051.
* Update trustrouter for new API. Fixes #2059.
* Fix SQLite issues on FreeBSD. Fixes #2060
* Don't do debug logging of bad passwords. Fixes #2064.
* More graceful handling of "die" in rlm_perl. Fixes #2073.
* Fix occasional crash when using
cisco_accounting_username_bug = yes
* EAP-FAST fixes from Isaac Boukris.
#2078, #2076, and #2082, #2126.
* DHCP fixes, relay, #2092, add run-time check, #2028
* Decode multiple RADIUS packets at a time in highly loaded
RadSec connections. Patch from Jan Tomasek. #2106.
* TunnelPassword is not "single value" in LDAP schema.
Fixes #2061.
* sql log now opens the expanded filename, not the input one.
This was a regression introduced in 3.0.15.
* Remove unnecessary UNIQUE constrain in Oracle schemas.
* Fix SSL thread and locking issues when modules also use SSL.
Fixes #2125 and #2129.
* Re-add dhcpclient "raw packet" changes. Patches from
Nicolas Chaigne and Matthew Newton. Fixes #2155.
FreeRADIUS 3.0.15 Mon 17 Jul 2017 09:00:00 EDT urgency=high
Feature improvements
* Provide HOSTNAME in default systemd files.
* Incorporate RedHat specific files
* Update dictionary.starent, dictionary.ruckus
* Allow builds without TCP or DHCP
Bug fixes
* Fix multiple issues. See this web page for details:
http://freeradius.org/security/fuzzer-2017.html
* Pass correct statement length into sqlite3_prepare[_v2]
* Bind the lifetime of program name and python path to the module
* Check input / output length in make_secret().
FR-GV-201
* Fix read overflow when decoding DHCP option 63
FR-GV-206
* Fix write overflow in data2vp_wimax()
FR-GV-301
* Fix infinite loop and memory exhaustion with 'concat' attributes
FR-GV-302
* Fix infinite read in dhcp_attr2vp()
FR-GV-303
* Fix buffer over-read in fr_dhcp_decode_suboptions()
FR-GV-304
* Decode 'signed' attributes correctly.
FR-GV-305
* use strncmp() instead of memcmp() for bounded data
FR-AD-001
* Bind the lifetime of program name and python path to the module
FR-AD-002
* Pass correct statement length into sqlite3_prepare[_v2]
FR-AD-003
* print messages when we see deprecated configuration
items
* show reasons why we couldn't parse a certificate
expiry time
* be more accepting about truncated ASN1 times.
* Fix OpenSSL API issue which could leak small amounts
of memory. Issue reported by Guido Vranken.
* For Access-Reject, call rad_authlog() after running
the post-auth section, just like for Access-Accept.
* don't crash when reading corrupted data from session
resumption cache. Fixes #1999.
* Parse port in dhcpclient. Fixes #2000.
* Don't leak memory for OpenSSL.
Patch from Guido Vranken.
* Portability fixes taken from OpenBSD port collection.
* run rad_authlog after post-auth for Access-Reject.
* Don't process VMPS packets twice.
* Fix attribute truncation in rlm_perl
* Fix bug when processing huntgroups.
FreeRADIUS 3.0.14 Fri 26 May 2017 13:00:00 EDT urgency=medium
Feature improvements
* Enforce TLS client certificate expiration on
session resumption, and Session-Timeout.
See CVE-2017-9148.
* Updated dictionary.cisco.vpn3000, dictionary.patton
* Added dictionary.dellemc
* Lowered the log output for failed PEAP sessions.
* ALlow utc in rlm_date. Patch from
Peter Lambrechtsen.
* The internal OpenSSL session cache has been
disabled. Please see mods-available/eap
* Update detail reader documentation.
Patch from Matthew Newton. Fixes #1973.
* Make outgoing RadSec connections non-blocking.
* Add SQL backing to Moonshot-*-TargetedId
generation. Patch from Stefan Paetow.
Bug fixes
* radtest uses Cleartext-Password for EAP, not
User-Password.
* Update documentation for mods-enabled/ linking.
* Enhanced checks for moonshot salt. Fixes #1933.
* Allow session resumption for RadSec connections.
Fixes #1936.
* Update "huntgroups" file to note that port ranges
are not supported.
* Fix OpenSSL permissions issues on default key files.
Fixes #1941.
* Certificates are not required when PSK is used.
* Allow SubjectAltName as first extension in cert.
Fixes #1946.
* Fixed talloc issue with TLS session resumption.
Fixes #1980.
* "&Attr-26 := 0x01" now produces useful error messages.
* Handle connection error in rlm_ldap_cacheable_groupobj.
Fixes #1951.
* Fix endian issues in DHCP.
* Multiple minor fixes for Coverity complaints.
* Handle unexpected regex. Fixes #1959.
* Fix minor issues in dictionaries.
* Fix typos and grammar. Patches from Alan Buxey.
* Fix erroneous VP creation in rlm_preproces.
* Fix MIB. Patch from Jeff Gehlbach.
* Trust router updates from Alejandro Perez.
* Allow build with LibreSSL. Fixes #1989
* Use correct packet for channel bindings. Fixes #1990.
* Many fixes found by PVS-Studio. Thanks to PVS-Studio
for giving us a test license. Please see the git commit
history for more information.
* Fix incorrect length check in EAP-PWD. This may
be exploitable.
FreeRADIUS 3.0.13 Mon 06 Mar 2017 13:00:00 EDT urgency=medium
Feature improvements
* Add dictionary.rfc7930. Note that we do not implement
the RFC.
* Added 'cipher_server_preference' to mods-available/eap
Patch from #1797.
* OpenSSL 1.1.0 compatibility fixes.
* rlm_perl: radiusd::xlat to evaluate xlat string
within perl script
* Allow authentication retry in winbind. Patch from
Herwin Weststrate. See raddb/mods-available/mschap.
* Added "recv-coa" method to rlm_rest. It behaves the
same as "authorize".
* Document Trust Router tr_port option. Patch from
Stefan Paetow.
* Update elasticsearch/logstash examples so that they work
with elastic stack v5. Patch from Matthew Newton.
* Print information about packets, replies, and contents
in the detail file reader.
* Update abfab-tr policy. Pull request #1893
from Stefan Paetow.
* Reject packets which contain User-Password and
EAP-Message.
* Add example for filtering Access-Challenge.
See sites-enabled/default.
* Pull symlink fixes from v4.0.x. Fixes #1859.
* Add systemd reload. Not everything is reloaded, but
some is. Fixes #1662.
* Better documentation for listen "ipaddr". Fixes #1921
* Add dictionary.cnergee, updated dictionary.nomadix.
* radclient no longer needs -x to print statistics with -s.
Bug fixes
* Minor typos. Fixes #1763
* Fix typo in RPM build. Closes #1767.
* rlm_mschap check for password expiry only
if password was correct. Fixes #1762.
* Update debian build.
* update rlm_counter "man" page. Fixes #1775.
* Remove erroneous assert. Fixes #1778.
* fix mschap password change test. Fixes #1792.
* Cleanup config file on data remove. Fixes #1795.
* passwd module returns "notfound" if not found.
* Check for old OpenSSL, and don't build rlm_eap_fast
if it necessary. Fixes #1803
* Cleanup memory better after ldap version query.
Patch from Aleksey Katargin.
* Rename lt_* functions to avoid linker issues with
libtool. Fixes #1277
* Many miscellaneous fixes and typos.
* Allow long strings in %{%{foo} bar:-%{baz} blah".
Fixes #1866
* Fix filtering operators, along with more documentation and
more tests for them.
* Fix OpenSSL fixes. Fixes #1876.
* Finish SQL select queries even when SELECT returns no rows.
Fixes #1879.
* Set Module-Failure-Message for more EAP errors.
* Correct typo in dictionary.rfc5580. Fixes #1882
* Remove obselete systemd syslog.target.
* Client-Port-Balance load-balancing now uses client port.
* Radrelay examples fixed from Alex Clouter.
* Update systemd target. Pull request #1896.
* Trim starting whitespace in xlat strings.
* Get MySQL result lengths using normal API.
* suid down after fchown(). Fixes #1914.
* Fix cases of comparing pointer to NUL character. Fixes #1915.
* OpenSSL v1.1 fixes. Pull request #1921.
* Better Handle v4/v6 host names. Pull request #1919.
* Remove "Auth-Type = System" from docs and examples.
* Don't crash on malformed %{home_server}. Fixes #1922
* fix erroneous use of talloc destructor in rlm_eap
* Issue trigger modules.sql.fail. Fixes #1923
* Document python_path gotcha's. Fixes #1845
* dlopen() the specific version of Python. Fixes #1592
FreeRADIUS 3.0.12 Thur 29 Sep 2016 13:00:00 EDT urgency=medium
Feature improvements
* Add support for =~ and !~ in update sections.
See "man unlang"
* Add dictionary.checkpoint.
* Simultaneous-Use prints out more information.
* Print WARNING in debug mode when packets may be
truncated.
* Added expansions %{home_server:state} and
%{home_server_pool:state}, which show the
state of the server / pool.
* Mark rlm_sql_freetds as stable.
* Make rlm_perl less fragile. Patch from
Herwin Weststrate.
* Allow extended attributes to have "encrypt=2"
* Update dictionary.aruba.
* Add support for EAP-FAST. This is an isolated
feature which does not affect anything else.
* Update OpenSSL vulnerability list. Use a version
of OpenSSL released after September 20, 2016.
* EAP certificate verification is now done when
"verify" is enabled and "ocsp" is disabled.
* New dhcpclient and rlm_rad_counter man pages.
* Minor abfab and moonshot additions.
* Pass CFLAGS through from environment in RPM builds.
Allows more custom builds.
* Build with Heimdal in addition to libkrb5.
Bug fixes
* Use correct typedef for older versions of sqlite.
* Update mssql schema to add priority
* Don't complain on /dev/urandom in ldap
* Fix == operator in update sections
* Don't create DHCP strings with many trailing zeros.
Patch from Nicolas C. Fixes #1526.
* Allow MS-CHAP change passwords instead of complaining
on large buffer.
* Allow assignment or equality operator on SQL.
* Update aclocal tests for FreeBSD 10. Patches from
Mathieu Simon.
* Remove occasional hang in rlm_linelog.
* Copy VSAs to inner tunnel for TTLS and PEAP.
Fixes #1544
* A few minor bugfixes caught in v3.1.x cleanup, and
back-ported to v3.0.x.
* do_not_respond again works in post-proxy
* Allow realm "~^.*$" {} and User-Name with no realm.
* Fix leak when creating unknown attributes
* Fix Debian / logrotate.
* Make OpenSSL error functions thread-safe.
* Fix crash with rlm_sql and updating SQL-User-Name.
* Debian build updates.
* Allow regular expression comparisons in radclient
fixes #1574.
* Fix memory leak on unknown attributes in detail file
reader.
* Update example paths in "man" pages when installing
them
* Build fixes for rlm_mschap. Fixes #1489.
* BSD build fixes. Patch from issue #1583.
* Be more careful about /lib/ when building.
Fixes #1585.
* Correct ifdef placement error. Fixes #1572.
* Allow for more files in internal "exfile" API
So it will be possible to open more than 64
"detail" files at the same time.
* Remove support for statically built EAP modules.
Fixes #1591.
* Many fixes to rlm_python from Guillaume Pannatier.
* Use correct week adjustment in SQLcounter.
Fixes #1608
* Minor fixes to allow compilation without DHCP,
VMPS, or TCP.
* Fix checks for module / config file change on HUP.
* Compile regex comparisons when sent via
"debug condition". Fixes #1632.
* Update filenames in documentation and examples.
Patch from Alan Buxey, #1655.
* Don't crash if SQL connection becomes unavailable.
Fixes #1640.
* Disallow originate_coa when proxy_requests = no
Fixes #1684.
* Free rad_perlconf_hv in correct perl context.
Fixes #1675.
* Multiple fixes for Debian builds. #1510, among
others.
* Set OpenSSL FIPS compatibility flag when necessary.
* Pulled fixes for the build system over from other
branches.
* Fix OCSP for RADIUS over TLS.
* Fix skip_if_ocsp_ok behavior.
* Better fixes for systems without closefrom() but
which have /proc. Fixes #1757.
* Minor build fixes back-ported from v4.0.x.
* build --whout-ascend-binary. Fixes #1761.
* Be more aggressive about not opening new connections
in debug mode after CTRL-C. Address #1604.
FreeRADIUS 3.0.11 Mon 25 Jan 2016 14:00:00 EST urgency=medium
Feature improvements
* "unlang" comparisons of IP addresses to IP prefixes
are now detected, and types automatically cast.
* Allow shorthand form of ipv4prefix values e.g. 127/8.
* Add "auto_chain" to raddb/mods-available/eap, tls
subsection. This allows the disabling of OpenSSL
auto-chaining of certificates. Which might be wrong.
* Added printing of coa and disconnect stats (radmin).
* radclient defaults to expecting Access-Accept responses
to Status-Server.
* Updated dictionary.lancom, dictionary.starent.
* Portability fixes for Solaris.
* More errors from ntlm_auth gets passed to MS-CHAP.
* Update abfab-tr-idp virtual server.
* Added "filter_password" in policy.d/filter. This
removes embedded zero bytes in User-Password, for
compatibility with broken clients.
* The server now issues a WARNING message if duplicate
configuration items are found.
* TLS can skip the "verify" section if OCSP returns OK.
See raddb/mods-available/eap, "skip_if_ocsp_ok".
* Set TLS-OCSP-Cert-Valid = yes / no / skipped, which
is the result from the OCSP check.
* Interoperate with AD and "LmCompatibiltyLevel = 5",
by always setting WBC_MSV1_0_ALLOW_MSVCHAPV2 for
native winbind in rlm_mschap.
* TTLS and PEAP now require "virtual_server" to be a real server.
* Print WARNING when TTLS or PEAP identities are spoofed
or not properly anonymized. See RFC 7542 for requirements.
* Various rlm_python fixes from Herwin Weststrate.
* Allow setting Response-Packet-Type in "Post-Proxy-Type Fail",
which is useful when the home server does not respond.
* elasticsearch updates from Matthew Newton
Bug fixes
* Fix issue where field nas_type would not be accessible via
the %{client:} xlat, for clients loaded from SQL.
* Fix compatiblity issues with OpenSSL 1.0.2. Ignore
calls to msg_callback with 'pseudo' content types.
* Data type "ipv4prefix" is parsed correctly.
* Use correct talloc context in rlm_exec. Fixes #1338.
* Complain in unlang if "else" is used with no previous
"if" or "elsif".
* Send accounting status packets to the accounting port.
Fixes #1364.
* Print out CFLAGS when doing "radiusd -Xxv"
* Fixed bug with coa/acct stats value #1339. Based on patch from
Jorge Pereira.
* Fixes for LEAP proxying. Don't use LEAP!
* Fix issue with "directory already exists" seen when doing
"make install".
* Fixed bug with radmin related to the option "stats detail <filename>"
* Complain if the detail file reader does not have permission
to read the "detail.work" file. Fixes #1398
* Fixed SoH. Attributes were not being copied to the virtual server.
* Used a wrong list to global statistics in "stats".
* Create EAP-PWD identity correctly. Prevents segfaults.
* Dynamically validate authentication types for PEAP and EAP-MSCHAPv2.
* Fix includes in installed headers.
* OpenSSL 1.0.1f and 1.0.1g do NOT calculate TLS 1.2 keys correctly.
See raddb/mods-available/eap, "disable_tlsv1_2"
* Allow password change to work for MS-CHAP. This requires 'r=0',
because password changes are not retries.
* Fix home server fail-over for home servers using TCP and/or RadSec.
* Special characters in expanded regexes are now escaped
e.g. User-Name containing '.', and comparing /%{User-Name}/,
the '.' will now be escaped. See src/tests/keywords/regex-escape.
* Use correct authentication vector when sending Access-Reject replies
for RadSec.
* Set FreeRADIUS-Proxied-To in TTLS again. You should use the
"inner-tunnel" virtual server, instead of relying on this attribute.
* Fix debugging constants in rlm_perl. Patch from Herwin Weststrate.
* Add samba-dev / samba4-dev to debian builds so that rlm_mschap can
automatically use the new winbind API.
* Automatically skip zero-length attributes when sending packets,
instead of erroring out.
FreeRADIUS 3.0.10 Mon 05 Oct 2015 15:00:00 EDT urgency=medium
Feature improvements
* Do more optimization of unlang policies. This makes
run-time a bit faster.
* Re-name most of the functions in src/lib. Third-party
module authors will have to do the same.
* More documentation on contributing and how to write
modules.
* Update radiusd.service for systemd.
* Open IPv6 proxy socket if the server is listening on IPV6
auth / acct / coa packets.
* Create debian packages for DHCP. Fixes #1125.
* Add more tests for "update" section parsing.
* Update "man" pages.
* Update attributes for Alcatel 7750
* Add dictionary for Boingo Wi-Fi
* Add support for DHCP lease queries.
See raddb/sites-available/dhcp
* On HUP, check all modules for config files which have
changed. And only re-load those modules.
* Allow FreeRADIUS-Response-Delay(-USec) to be set for
RADIUS packets. Patch from Herwin Weststrate.
* Documentation fixes from Alan Buxey and Matthew Newton.
* Update "logrotate" script.
* Added more RFCs to doc/rfc for new standards implemented
by FreeRADIUS.
* Don't crash when doing "radmin -e "help hup".
Patch from Matthew Newton.
* The dictionary parser now does more sanity checks, which
prevents run-time problems with invalid attributes.
* Update debian packages. Patches from Christopher Hoskin.
* Many other debian packaging fixes from Matthew Netwon
and Herwin Weststrate.
* Add "session-state" to Perl. Patch from Herwin Weststrate.
Bug fixes
* Fix rlm_files so that there are no collisions when loading
10's of 1000's of users.
* Fix radclient to use our internal v4/v6 parsing functions.
v6 addresses with ports now work correctly.
* Fix sending/receiving packet messages to wrap v6 addresses
in square brackets '[]'.
* Check for sasl/sasl.h when building rlm_ldap, and disable
SASL functionality if unavailable.
* Fix issue which caused a non \0 terminated buffer to be
assigned to attributes if the value being assigned contained
an invalid escape sequence.
* Fix deadlock when reconnecting connections in the connection
pool.
* Fix potential overrun in functions that used fr_utf8_char
with a non nul terminated buffer.
* Fix decoding issue for Tunnel-Password type attributes
which were very long. Found by Denis Andzakovic.
* Fix radclient issue with TCP sockets on FreeBSD.
* The server now creates ${run_dir} and ${logdir} directories
in daemon mode, when running as "root".
* Handle tags when using maps. Fixes #1191.
* Fix crash when CoA packets time out.
* Fix parse error in rediswho
* Fix regex support in SQL radcheck the "users" file and radsniff.
* Register listen xlat earlier, so that it's available when the
virtual servers are being parsed.
* Parse Ascend-Data-Filter when given as "0x..."
* Print Ascend-Data-Filter correctly. Add test cases for both.
* Allow old-style clients again. They will be disallowed for
3.1.0 and following.
* Complain instead of crash when "else" and "elsif" are in
the wrong place.
* Clean up memory more aggressively. This lowers the
maximum memory used, most typically for TLS based EAP methods.
* Prevent the server from unlinking the control socket of an
already running instance.
* Fallback to using the configured OCSP URL if one exists, and
no URL is provided in the certificate.
* Return CoA-NAK if proxying CoA fails. Based on patch from
Jorge Pereira.
* Lower peak memory usage by decreasing size of internal
memory pools.
* The control socket is now left in place if a second copy
of the server is accidentally started.
* Allow virtual attributes in "switch", "case", etc.
Fixes #1240 and #1265.
* Many spell check / typo fixes in comments and example
configuration files.
* Better handle multiple DHCP listeners.
* Don't print secrets for old-style realms. Fixes #1267.
* Don't fall through in empty "case" statements.
Fixes #1274.
* Update EAP-TTLS so that MPPE keys are correctly calculated with TLSv1.2.
* Always delete MS-MPPE-* from the TTLS inner tunnel. This allows
TTLS / EAP-MSCHAPv2 to work. Fixes #1206.
* Fix off by one error that caused some MSCHAP-Error messages to
be sent without the password change version (V=3) and the textual
message component (M=).
* Always include C= V= and M= in MSCHAPv2 errors. RFC 2759 does not say
that any of these fields are optional, and not including V= caused
errors with wpa_supplicant.
* Do not include M= in MSCHAPv1 errors. It's not supported.
FreeRADIUS 3.0.9 Wed 08 Jul 2015 12:00:00 EDT urgency=medium
Feature improvements
* Make "pool" configurations more consistent, and
update documentation for them.
* Move connection pool logic to "most recently started",
instead of MRU. This should help with pool stability.
* More VSAs for 3GPP2
* Added examples of multi-value attributes to rlm_perl.
* LDAP-Group and SQL-Group attributes are now dynamically
allocated.
* Only the "sql" module registers SQL-Group. Other instances
register "instance-name-SQL-Group", similarly to "ldap".
* Unknown attributes are now complained about more often
when used in unlang statements. e.g. if (Foo-Bar == 3)
used to be a string to string comparison. It is now a
parse error.
* Rename RLM_COMPONENT_* to MOD_* in the code.
This makes many things easier.
* Move to C99 initializers for modules.
* Load modules in raddb/mods-enabled. This allows attributes
like "LDAP-Group" to be used in the "files" module,
without explicit ordering or listing in "instantiate".
* Added 'bootstrap' section to modules. Third-party modules
will need to be updated.
* When adding clients from a DB, add them to a virtual server
if that virtual server has a "listen" section. Otherwise,
add the clients to the global list.
* When reading dynamic clients from a file, don't expire them
if the underlying file is unchanged.
* Allow the server to originate CoA requests from the post-auth
stage.
* The server creates ${run_dir} and ${logdir} in daemon mode,
if they do not already exist.
* Add dictionary for Wi-Fi Alliance Hotspot 2.0. The server
now supports all mandatory and optional attributes for this
specification.
* HUP now re-loads the configuration only if the files have
changed. If all files are unchanged, HUP re-opens the
log file, and does nothing else.
* Much better debug messages for EAP-TLS, including which
attributes are cached, and when they are retrieved.
* Increase default max_requests to 16384. Memory is cheap now.
* Added "stats memory" commands to radmin. Debug build only.
* Aptilo controller dictionary updates.
* SQL modules now use Acct-Unique-Session-Id everywhere.
* The redis modules are now stable.
* The LDAP module now supports SASL "interactive bind" method.
This allows Kerberos based administrator and user binds.
* DHCP code is now in libfreeradius-dhcp.
* More DHCP encoding / decoding unit tests.
* rlm_replicate can now be listed in the "accounting" section.
* Better sqlite debugging output.
* Remove "required" option from many sql_ippool directives.
* Set default CA "basic constraints" to "critical". Fixes #1073
* Updates to help / man pages from Jorge Pereira.
* Added more tests.
Bug fixes
* Be more careful about unused config item warnings
when using -Xx.
* Move more defines to be auto-generated.
* Allow virtual servers in proxy fallback.
* Allow %{module:} to work.
* Don't crash in RadSec. Closes #980.
* Return better errors when a unix group / user
is not found.
* Re-enable detail module "locking" parameter.
* Don't crash when logging replies from Status-Server packets.
* The couchbase module now uses "update" instead of "map",
for consistent with the rest of the server. See
raddb/mods-available/couchbase
* Don't require NT-Password for MS-CHAP password changes.
* Be a bit more careful about decrypting MS-CHAP-MPPE-Key
attributes. Closes #1013. There is no perfect fix, tho.
* Fix security issues with EAP-PWD.
See http://freeradius.org/security.html#eap-pwd-2015
* Fix dynamic clients read from SQL in non-debug mode
* MS-CHAP now allows retries (i.e. password change) when
passwords are expired.
* Allow "user=radiusd" when the server is already user
"radiusd"
* suid up/down works on non-Linux systems. This means
that the control socket should have the correct
ownership.
* Fix issue which caused the server to sometimes have problems
when a home server was marked zombie.
* Fix format.pl because Perl is now more picky.
* Fix proxy to Packet-Dst-IP-Address, so that it uses the
correct destination port.
* Fix corner case with cursor functions and removal.
* OpenDirectory fixes and documentation.
* Fix leaks in rlm_redis.
* RFC 6929 "evs" attributes are now encoded / decoded
properly.
* Fix talloc pool leaks when receiving malformed or
retransmitted Accounting/CoA requests.
* Printed attributes again use double quotes instead of
single quotes.
* Set X509_V_FLAG_CRL_CHECK_ALL, and add "check_all_crl"
to eap.conf. Fixes oCert CVE-2015-4680.
* rlm_expr now errors out correctly on malformed attribute
references instead of triggering an assert.
* Make "break" work in "foreach" loops
* Allow dynamic expansions to work again in the "hints" file.
* Correct minor typos in comments and examples from Alan Buxy.
* Re-urlencode the path portion of ldapi:// urls before
passing it to ldap_initialise.
FreeRADIUS 3.0.8 Wed 22 Apr 2015 13:30:00 EDT urgency=medium
Feature improvements
* Allow syslog_severity to be set in rlm_linelog.
* Allow defaults to be set for bulk clients in LDAP and couchbase.
* Updates to dhcpclient. Patches from Nicolas C.
* rlm_mschap now supports direct connections to winbind, which
is faster than ntlm_auth. See raddb/mods-available/mschap.
Patch from Matthew Newton.
* Recommend /dev/urandom for TLS randomness, instead of
${certdir}/random
* Allow TLSv1 to be disabled via "disable_tlsv1" in tls{}.
* Allow Expanded EAP types where vendor is 0 (IETF) and
type is normal EAP type. Supplicants sending Expanded
EAP types like this are broken.
* Add support for server side sort controls when searching for
user objects in rlm_ldap.
Bug fixes
* Don't complain about "authorize" in "server {}" blocks, but
only if there's no "server" block.
* Fix cosmetic issue where debug from the first packet read by
a detail reader thread would be emited during config parsing.
* Fix ASSERT on truncated detail packets.
* Don't use main server log functions from within panic_action,
as in the case of syslog this would cause deadlocks if the
fault was triggered from within a malloc.
* Fix issue in "switch" when "correct_escapes = false".
Fixes #911.
* Fix sqlcounter configuration to use "%%b" instead of "%b",
otherwise the new syntax validation will fail.
* Allow forward references in configuration items. Modules
aren't always loaded in a sane order.
* Fix more escaping issues. Closes #912.
* Decode MAC addresses correctly for VMPS.
* Fix memory leak with TLS connections.
* Fix state machine threading issues for conflicting packets.
* Fix copy_request_to_tunnel issues for tagged attributes.
* Allow "ok" to over-ride "updated" inside of Auth-Type sections.
* Update state machine so that post-proxy is run though child
threads for performance, instead of blocking the main thread.
* Allow "netmask" to work again in client definitions.
* Relax restrictions on SQL group queries.
* track outgoing proxy sockets and clean them up more aggressively.
* track proxy statistics, including CoA and Disconnect.
* If radmin has a connection failure when running a command,
it re-connects and runs the command again.
* mark home servers "unknown" less aggressively.
* Fix potential SEGV in PostgreSQL driver on error.
* Fix issue where fields like nas_type would not be accessible via
the %{client:} xlat, for dynamic clients.
* Set default busy_timeout (of 200ms) in the sqlite driver, so writes
don't cause selects to fail in multithreaded mode. This is user
configurable, and may be increased if required.
* Convert Password-With-Header attributes to binary (from hex or
base64), in the authorize method of rlm_pap.
* Fix invalid assert in state.c, that could cause abort in
post-auth.
* Fix double free when -m flag is used, and connection pools are
referenced by multiple modules.
* RADIUS over TLS accounting uses the same port as authentication.
* Regularized return codes from radmin commands.
* Fix RHEL spec file so it works correctly for Centos7 which uses
systemd, and didn't like the SystemV init script.
* radwho and radlast now have a -D option to load dictionaries
* DHCP packets are no longer checked for duplicates.
* Don't crash in sql module group comparisons in corner case.
* Calculate MPPE keys correctly when using TLS 1.2.
* Fix load-balance sections. Closes #945
* TLS certificates are available again in the post-auth section.
They are not available for session resumption.
* radclient encodes CHAP-Password properly when using -c.
Closes #955.
* Fix issue in rlm_cache_memcached driver that caused variable
length values to be truncated.
* Fix track functionality in detail reader, so it no longer
fails with a "Failed marking detail request as done: Bad file
descriptor" error.
* Actually add the peer identity (as User-Name) to the inner
tunnel in EAP-PWD requests, so it's available for lookups.
* Fixes to PostgreSQL queries. Patches from Santiago Gimeno.
FreeRADIUS 3.0.7 Thu 19 Feb 2015 12:00:00 EDT urgency=medium
Feature improvements
* Allow coa home_servers to be derived from client
sections if a coa_server section is provided.
* Automatically determine the correct port if no port is
provided for a home server.
* Allow foreach to operate over lists.
* Add compile time features to ${feature.*} and versions
of core libraries to ${version.*}. Feature and version
names match output of radiud -xv. %v is now deprecated.
* Add support for PATCH method in rlm_rest.
* Validate more module xlats on startup, and warn if an
xlat expansion is found in a double quoted config item
which will not be expanded.
* Add support for sub-second timeouts in rlm_rest.
* Add support for connection timeouts in rlm_rest.
* Add %{jsonquote:<str>} xlat to escape strings for insertion
into json documents.
* Add %{ldapquote:<str>} xlat to escape strings for insertion
into ldap DNs.
* Add %{explode:&ref <char>}, splits value of &ref on
<char> and creates new &ref type attributes with the
fragments.
* Allow rlm_ldap to use attribute references for base_dn and
filter config items. The attribute references are not
escaped, allowing DNs and filters to be created dynamically.
* Add %{nexttime:[<int>]h|d|w|y} to calculate the number of
seconds before the next <int> hour(s), day(s), week(s),
or year(s).
* Allow the left side of update sections to be xlat expansions.
The result of the expansion is then used to reference the
attribute to be modified.
* Added %{lpad:&Attribute-Name 7 x} and rpad. These produce
fixed-width output strings, with padding to the left (lpad)
or the right (rpad).
* For some SQL drivers (MySQL, sqlite) distinguish between
constraints violations (on insert), invalid queries, and
server errors, and return noop, invalid, and error respectively.
* Call SHOW WARNINGS in the MySQL driver and write them to
the request log, if libmysqlclient indicates warnings are
available on the server.
* Forbid the creation of Vendor-Specific for non-standard
VSAs. Use Attr-26 = 0x... instead.
* Make dhcpclient work with raw sockets and various other
improvements - Contributed by nchaigne
* Add support for SSHA2 - Contributed by PDD.
* Add perle dictionary - Contributed by Hachmer
* Modernise init scripts for RHEL, SUSE and Debian.
* radmin now tracks the return code of commands, and exits
with status "1" if any command failed to execute.
* radmin now sends error messages from the server to
stderr, instead of to stdout.
* radmin now looks for sockets matching it's UID and GID,
rather than just always using the first one it finds.
* radmin can how delete clients which are tied to a listener.
* Moved RADIUS attribute definitions to src/include/rfc*.h
* Move to talloc pools for requests. For in-memory tests
(default config, 'users' file), performance increases by 30%.
* In rlm_ldap allow sasl_mech to be specified for admin and
user binds. Only non-interactive mechs (like EXTERNAL)
are currently supported.
* Remove support for ephemeral RSA keys. They were "export only",
and should not be used by anyone.
* Syntax errors in the "users" file now produce better
error messages.
Bug fixes
* Fix issues parsing LDAP hostnames with non-standard ports.
* Fix issues with realms containing regular expressions.
* Allow unary negation before parantheses in rlm_expr.
* Fix infinite loop in kevent event loop code. Issue only
presented on FreeBSD.
* Be more careful to define Auth-Types before loading modules.
* Link libfreeradius-radius against OpenSSL too, to avoid
multi-version symbols in SSL libraries.
* When rlm_ldap rebinds a connection, it should use bind
credentials from the module that created the connection
pool, not credentials from the module referencing it.
* Empty server config pairs should be allowed in rlm_ldap
instances that reference another module's connection pool.
* Mark rlm_always as huppable, so its rcode can be changed
via radmin (allows policy toggles).
* Emit warnings when ignoring user configured pool values.
* Fix issue that would cause radclient to complain
intermittently about differing numbers of filters and
requests.
* Fix cosmetic issues in connection pool logging, that made
it appear as if the same connection was being opened
multiple times.
* Fix threadsafety issues in SQL drivers, where a static
buffer was used to store error messages.
* Log RERROR, RWARN, RINFO to the global log if request
logging is not enabled.
* Link to libldap instead of libldap_r. libldap_r
is not supported for use by projects outside of OpenLDAP.
* Set connection timeout correctly in rlm_sql_mysql.
* Build with older versions of libcurl, and use CFLAGS from
curl-config.
* Honour Packet-Src-Port and Packet-Src-IP-address in radclient.
* Initialise ldapai_info_version field, so libldap will report
its vendor and version.
* Fix log rotation scripts by using the copyrotate option.
* Fix issue that caused opening control sockets to always
fail on non-Linux systems, if a user or group was set.
* Save Session-State after proxying.
* Additional fixes for reading CoA/DM requests from detail
files.
* Create dynamic clients if the dynamic clients virtual server
returns ok *or* updated. Emit useful messages for other codes.
* Compile bare "authorize" statements, and issue errors saying
using them isn't a good idea.
FreeRADIUS 3.0.6 Wed 17 Dec 2014 16:00:00 EDT urgency=medium
Feature improvements
* radmin / raddebug conditional errors are printed
to the output, instead of being discarded.
* raddebug will exit if condition set with -c was invalid.
* radmin auto-reconnects if the connection to the server
has gone away.
* rlm_cache now has submodule support. See
raddb/mods-available/cache
* New memcached driver for rlm_cache. See
raddb/mods-available/cache
* Add support for &Attribute-Name[*] in conditions.
See "man unlang" for details.
* Add &Attribute-Name[n] which gets the last instance
of an attribute e.g. Module-Failure-Message[n].
* Allow for redundant string expansions. See the
"instantiate" section of radiusd.conf.
* When checking IP addresses in conditions, make the
right side be parsed as an IP prefix.
* Support JIT compilation of compiled regular expressions
when built with libpcre.
* Support named capture groups with "%{regex:<name>}"
when built with libpcre.
* Increase regular expression capture groups from 8 to 32.
* Emit error markers for badly formed regular expressions.
* Allow 'm' flag to enable multiline mode in regular
expressions.
* Support limited implicit attribute conversion in update
sections.
* Support casting between IPv6 and IPv4 where the IPv6
address has the v4/v6 mapping prefix (::ffff:).
Bug fixes
* PEAP works again. As does proxying EAP-MSCHAPv2
from inside of a PEAP tunnel.
* "group" is allowed inside of "instantiate" sections.
* update disconnect {} with
disconnect:Packet-Dst-IP-Address now works correctly.
* Regular expression comparisons of non string attributes
are now disallowed in the files module. Previously
they would silently fail or produce undefined behaviour.
* Fix parsing of old regular expressions. Closes #842
* Fix off by one error in ascend filters. Closes #843.
* Handle NT-Hash in rlm_pap. This allows passwords to
have backslashes in them.
* Fix infinite loop on "Fall-Through = yes" when
processing SQL groups.
* Correct the check of SQL query return code.
* Run "Post-Auth-Type Reject" if the request was rejected
in post-auth
* Write "Login OK" only if the post-auth section passed.
* Create TLS-Cert-* certificates, even when EAP session
caching is disabled.
* Finalize the "correct_escapes" with many more tests.
* Move to the new OpenLDAP libldap API, fixes more issues
with binary values.
* Fix potential memory corruption in rlm_ldap if start
connections were set to 0, and the server was running
in threaded mode. The fix is a workaround for an issue
in libldap and was suggested by Howard Chu.
* Give parse errors on "%{...", without the closing brace.
* Allow spaces in certificate passwords for build rules
in raddb/certs//
* Make all regular expression evaluation binary safe.
Where that's not possible, emit an error if the pattern
or subject contains an embedded null byte.
* Fix various issues around masking IPv6 addresses.
* Give descriptive error if unknown attributes are used
in "update" sections.
* Deal with cases where ldap_initialize isn't available
gracefully, and use it exclusively when it's available.
FreeRADIUS 3.0.5 Fri 21 Nov 2014 15:30:00 EDT urgency=medium
Feature improvements
* Large update to Huawei dictionary.
* Added dictionary.rfc7155
* Regular expressions like /%{User-Name}/ are now parsed
and validated when the server starts.
* All configuration items which are dynamically expanded
are now parsed and validated when the server starts.
* %{expr:...} expressions can now do bit shifting and more.
See raddb/mods-available/expr.
* The detail file reader can now track packets which have
had replies, so they are never re-transmitted. See
raddb/sites-available/buffered-sql, the "track" config item.
* CoA and Disconnect packets can now be sent to a specific
home server by setting control:Packet-Dst-IP-Address and
(optionally) control:Packet-Dst-Port.
* Allow CoA and Disconnect packets to be read from the
detail file.
* Allow LDAP to specify arbitrary attributes for dynamic
clients.
* Convert all unused attributes in the control: list to config
pairs in dynamic clients. This allows arbitrary client
attributes to be set for dynamic clients too.
* rlm_couchbase now supports bulk loading of clients on startup
in a similar way to rlm_ldap. Contributed by Aaron Hurt.
* Allow one level of backslashes (finally). See radiusd.conf,
"correct_escapes" setting.
* Rename dictionary.redback to dictionary.ericsson.ab
* Add --disable-openssl-version-check option to configure.
So vendors can disable the check. Patch from
Nikolai Kondrashov.
* Do context-specific indenting in debug messages. This makes
the debug output easier to read.
* Make configuration a separate RPM, just like for Debian.
* better decoding of unknown VSAs
* When supported by OpenSSL, allow TLS 1.1 and TLS 1.2
in EAP methods.
* Allow multiple new connections to be spawned simultaneously
in the connection pool, to cope with spikes in traffic.
* Document retry_delay in connection pools.
* Allow checksimul in rlm_couchbase.
* Use kqueue on systems which support it. This allows for
better scaling when using many sockets.
Bug fixes
* Parse list qualifiers in generic LDAP 'valuepair_attribute'
attributes correctly.
* Fix issue where prefix length would be ignored for dynamic
or static clients if the address matched INADDR_ANY
(0.0.0.0).
* Allow null user object filter in rlm_ldap, it's valid to
specify a complete object DN and use the base scope.
* Don't SEGV if a received attribute value in a JSON structure
is null, or a value can't be stringified.
* Don't assert if the server returns a JSON content-type and
the server hasn't been built with support for JSON.
Closes #808.
* Set CURLOPT_NOSIGNAL to prevent curl from handling signals
and causing a longjmp error when the server was running with
threads.
* Allow tabs after attribute names in the "users" file.
Closes #796.
* Free unknown DICT_ATTRs. Closes #795
* Handle unknown attributes in the conditions and "update"
sections. e.g. Attr-1.2.3.4 = foo.
* Use correct array size for MS-CHAP new password.
* In rlm_rest, check for older versions of libraries at start
time, rather than when a packet comes in.
* Don't call detach on parse error in rlm_perl. Closes #802.
* Integer fixes for big-endian systems. Closes #803.
* Don't optimize %{Packet-Src-IP-Address}. Closes #804.
* dhcpclient loads dictionaries correclty. Closes #805.
* double quotes are no longer escaped in single-quoted
strings. e.g. 'foo "hello" bar'.
* Fixes for proxying to virtual servers broke the detail file
reader. Now they both work.
* Typos and fixes from Nikolai Kondrashov.
* Fixes to OpenSSL version checks, for cross-platform issues.
* cppcheck fixes from Herwin Weststrate.
* Fix build for OSX Yosemite
* Merge DHCP sub-options. Closes #812.
* Fix decoding of Starent attributes.
* When a module asks for a connection, don't return idle
connections.
* LDAP connection timeouts will now retry, instead of failing.
* Prevent race conditions between fork and wait for child.
Patch from James Rouzier.
* Fix triggers for connection pools. Patches from
Nikolai Kondrashov.
* Fix SEGV when comparing non string type check items.
* Build with newer versions of libmysqlclient.
* make the %{escape:} and %{unescape:} xlat functions UTF8
safe.
* Don't escape UTF8 chars in SQL query strings.
* Fix issue in cached LDAP group comparisons, which caused
checks to sometimes fail.
* Fix use after free issue in unlang switch evaluation.
* Respect operators in rlm_cache when merging into the current
request.
* Update Cache-Entry-Hits each time rlm_cache is called.
* Produce WARN messages if SQL queries are empty strings.
* Fix invalid assertion when proxying CoA requests.
* Allow empty strings in "case" statements. Closes #836.
* Normalize escaping for string expansions. i.e. don't do
double escaping in rare situations.
* Normalize LDAP escaping. LDAP servers have multiple ways
to escape things, so the data has to be normalized before
we can compare two LDAP DNs.
* Don't go to high debug level if we're proxying inner EAP
as EAP. Closes #839.
* Fix rlm_rest state handling. Closes #835.
FreeRADIUS 3.0.4 Wed 10 Sep 2014 12:00:00 EDT urgency=medium
Feature improvements
* Home server "response_window" can now take fractions of a
second. See proxy.conf.
* radmin now supports "show module status", as thee counterpart
to "set module status"
* Added dictionary ericsson.packet.ccore.networks, bluecoat,
citrix, compatible, riverbed, ruckus, and RFC 7268.
* Add %{tag:} expansion to get the tag value of an attribute.
* Report 'application_name' in connections to PostgreSQL servers.
FreeRADIUS connections will now appear as
'FreeRADIUS <version> - <name>' in pg_stat_activity.
* All config item fields are now type checked at compile time
to prevent issues similar to #634 occuring again.
* Modify pairparsevalue to deal with embedded NULLs better,
and use the binary versions of attribute values in rlm_ldap.
* "ipaddr" will now use v6 if no v4 address is present. You should
use "ipv4addr" or "ipv6addr" to force v4/v6 addresses.
* The above applies to "listen", "home_server", and "client" sections.
* "client" sections will allow "ipaddr = 192.192.0/24". The old
"netmask" is still accepted, but the new format is preferred.
* Allow custom HTTP headers to be set for rlm_rest requests using
control:REST-HTTP-Header (attributes consumed after use).
* Extend format of %{rest:} expansion to allow HTTP method and POST
data to be specified
e.g. %{rest:POST http://example.org/api foo=bar&baz=boink}.
* Add %{hmacsha1:&data &key} and %{hmacmd5:&data &key} expansions
for signing data in requests.
* rlm_cache now consumes its control attributes to make runtime
configuration easier.
* Add control:Cache-Read-Only which when set to 'yes' will make the
cache module merge existing cache data, but not create new entries.
* Add %{unescape:} and %{urlunquote:} expansions to reverse escaping
and urlquoting.
* Add support for aliases in rlm_ldap.
* Add support for connection pool sharing to all modules that use
the connection pool (pool = <instance>).
* "tls" sections now have a "psk_query" configuration item, for dynamic
queries to discover a key from a PSK identity.
* Preliminary support for EAP channel bindings.
* Foundational work for dynamic home servers. They do not yet work,
but this is now only a matter of updating the "realm" module in
a future release.
* Support &attr[*] syntax to copy all instances of an attribute when
used with the += operator in an update section. May be qualified with
a tag.
* The logintime and expiration modules can now be listed in the
post-auth section. This makes some configurations simpler.
* Allow comparison of integer attributes of different sizes,
without requiring a cast.
* rlm_sqlippool is now IPV6 capable. Set "ipv6 = yes" to get
Framed-IPv6-Prefix returned. The SQL queries have NOT been updated.
Please submit patches.
* The debian build now checks for the OpenSSL package with the heartbleed
fix, and if found, sets: allow_vulnerable_openssl = 'CVE-2014-0160'
* allow bootstrap from multiple files in sqlite driver.
Bug fixes
* make case-insensitive regular expressions work again, and add tests
for them.
* A few more talloc parenting issues
* Fix delayed proxy reply handling. Closes #637
* Fix OpenSSL initialization order when using
RADIUS/TLS. Fixes #646
* Don't double-quote strings in debugging messages
* Fix foreach / break. Fixes #639
* Chargeable-User-Identifier, ADSL-Agent-Circuit-Id and
ADSL-Agent-Remote-Id should be "octets" types in the default
dictionary.
* Fix typo in mainconfig. Fixes #634
* More rlm_perl fixes. Fixes #635
* Free OpenSSL memory on clean exit.
* Fix <attr>[0] !* ANY - Was removing all instances of <attr>
* Fix case where multiple attributes were returned from RHS of
mapping, as with rlm_ldap. Fixes #652
* Fix corner case in cursor where using fr_cursor_next_by_da
after calling fr_cursor_remove may of resulted in a read of
uninitialised memory.
* Don't SEGV if all connections to a database server go away.
Fixes #651.
* Fix issue where <attr> -= <value> was not removing tagged
instances of <attr> equal to <value> (only untagged).
* Fix issue where tag values were not being set on attributes
created with unlang/ldap update blocks.
* Create rlm_sqlcounter attributes as integer64 types instead
of integer types, so large counter values can be specified.
* Fix issue where specifying a dynamic client IP addresss using
FreeRADIUS-Client-IPv6-Prefix or FreeRADIUS-Client-IP-Prefix
may have caused a validation error.
* Don't print two "&" for messages about attribute or list
references in debug output.
* Fix urlquote and escape to encode Unicode characters correctly.
* Fix redundant-load-balance blocks to try other modules in
the group if one fails.
* Fix issue with rlm_pap password normalisation where
'known good' password strings stored in octets type attributes,
would be sometimes misnormalised as base64.
* Don't stop processing DHCP options if we find a 0x00 padding
option.
* Fix issue where modifying the value of an attribute created
from a template with a literal value, may have resulted in the
template literal being freed.
* Fix parenting issues in tls code which may have resulted in
memory corruption and crashes.
* Fix issue in radsniff where writing to PCAP files and using
-R response filters, where the requests would still be written
to the PCAP for non matching responses.
* Define __APPLE_USE_RFC_2292 so that the server builds with IPv6
support on OSX.
* Fix LDAP group lookups for named rlm_ldap instances.
Note that attribute references should be used when
checking LDAP-Group attributes. e.g. if (&LDAP-Group == 'foo').
* Delayed attribute references can now be used in unlang
existence checks. i.e. if (&Attribute-Name) { ... }
* Fix issues in EAP-PWD. CVE-2014-4731, CVE-2014-4732, and
CVE-2014-4733. There is no external authentication bypass.
* Fix a number of uses of the talloc parent/child reference.
* Release connection used for reading bulk clients in rlm_ldap.
* rlm_rest is now fail-safe if it's used without any configuration
* Pull in build fixes for FreeBSD from ports.
* Fix error in sqlite postauth query
* Evaluate argument to "switch" statements once, instead of for each
"case" statement.
* Define sig_t on systems without it. Closes #765.
* Fix boundary issue with rlm_rest. Closes #768
* Optimize "%{Attribute-Name}" in comparisons only if the dictionary
types match.
* Don't do chmod() in rad_mkdir() if the directory already exists.
We might not have permission to change it.
* Use getpwnam_r() and getgrnam_r() on systems which support it.
Closes #775.
* Clients loaded from SQL are now tied to the "listen" section
of a virtual server, instead of being global.
* Check for -lpcre. The system might have pcre.h without -lpcre.
* When proxying to a virtual server, use the proxy_reply instead
of ignoring it.
* Fixed typos in DHCP SQL IPPool.
* Fix crash when passing multiple arguments to Perl xlat.
FreeRADIUS 3.0.3 Mon 12 May 2014 15:30:00 EDT urgency=medium
Feature improvements
* Everything now builds with no warnings from the C compiler,
clang static analyzer, or cppcheck.
* rlm_ldap now supports defining the LDAP attribute name via
backticked expansion (i.e. shell command) in
RADIUS <-> LDAP mappings.
* rlm_ldap now supports older style generic attributes.
* dynamic expansions (e.g. "%{expr:1 + 2}" are now parsed
when the server starts. Syntax errors in the strings
are caught, and a descriptive error is printed.
* Static regular expressions (e.g. /a*b/) are now parsed
when the server starts. Syntax errors in the strings
are caught, and a descriptive error is printed.
* dynamic expansions are cached after being parsed. They are
no longer re-parsed at run-time for every request.
* regular expressions are now parsed and cached when the server
starts.
* Added the %{rest:} expansion to rlm_rest, which will send
a GET request to the URL passed as the format string.
Any body text will be written to the expansion buffer.
* rlm_rest now available as a debian package.
* When an 'if' condition statically evaluates to true/false,
unlang does more static optimization. For examples, see
src/tests/keywords/if-skip
* All modules are marked as safe for '-C', which lets the
dynamic expansion checks work in more situations.
* Added 'none' and 'custom' rlm_rest body types. 'custom'
allows sending of arbitrary expanded text and content-type
headers.
* Added "config" section to Perl. See mods-available/perl
* Added '%v' which expands to the server version - Patch
from Alan Buxey.
* more mis-matched casts are caught in "if" conditions,
and descriptive errors are printed.
* Support basic response validation in radclient. This allows
administrators to write local test cases for their
site-specific configurations.
* Removed radconf2xml and radmin "show client config" and
"show home_server config".
* Forbid running with vulnerable versions of OpenSSL.
See "allow_vulnerable_openssl" in the "security"
subsection of "radiusd.conf"
* Catch underlying "heartbleed" problem, so that nothing bad
happens even when using a vulnerable version of OpenSSL.
* Add locking API for sql_null, linelog, and detail modules,
which should improve performance and work around issues
on platforms with bad file locking.
* Allow DHCP NAKs to be delayed, via setting
reply:FreeRADIUS-Response-Delay = 1
* Allow tag and array references anywhere attributes
are allowed in "unlang".
* many enhancements to radsniff, including output
to collectd, ipv6 support and packet loss statistics.
* Many dictionary updates (ZTE, Brocade, Motorola).
* rlm_yubikey now automatically splits passwords from OTP
strings.
* The detail file reader is now threaded by default.
This should improve performance reading the files.
Bug fixes
* Fix xlat expression %{attribute[n]} so that it actually
returns the n'th attribute instead of the first one.
* Don't parse string on RHS of update {} when using unary
operators (!*). The RHS should always be ignored.
* Check for more optional functions in json-c so we can
Build with libjson0, which is the name of the json-c package
on debian/ubuntu.
* Fix issue in radmin where the main dictionaries would
not be loaded which, depending on the configuration, may
have caused validation errors.
* Fix handling of "%{reply:3GPP-*}"
* Fix rlm_perl garbage attributes
* Fix oracle SQL queries, which amongst other things still
used the old expansion format, which is no longer
supported/parsed.
* Truncate long format strings and error markers instead of
omitting them.
* Fix multiple attribute parsing in rlm_rest JSON.
* Don't crash in rlm_rest if connect_uri is commented out
in the configuration.
* Don't double-escape strings to / from Perl. You may need
to double-check your Perl scripts if they use "\" characters.
See mods-available/perl for documentation.
* Don't re-run "authorize" if a home server fails to respond.
* Don't append "0x" to hex output of octets types, for xlat
expansions. This is the same as v2, and makes it easier
to concatenate multiple attributes of type "octets"
* FreeBSD fixes for execinfo linking.
* Make some of the module configurations more consistent.
* Fix corner cases where STDOUT wouldn't be closed in
daemon mode.
* Re-enable "update coa" and originating CoA requests.
* Prevent multiple threads writing to the sql query logs.
* Fix zombie period calculation. Closes #579
* Properly parent VPs for talloc, when moving them in map2request.
* Various fixes for talloc parent / child relationships
* Allow rlm_counter to support VSAs.
* Normalize return codes for many modules. "do nothing" is noop,
not "ok".
* Run Post-Proxy-Type Fail. Closes #576
* Fix DHCP destination port for replies to relays. Closes #591
* Do-Not-Respond policy works again Closes #593
* Proxy-To-Virtual-Server works again. Closes #596
* Build fixes for ancient systems. Closes #607, #608, #609.
* %{Module-Return-Code} works again. Closes #610.
* Don't increment statistics for Status-Server responses.
Closes #612.
* A duplicate request isn't a duplicate if the original one
is marked "done". This should lower retransmissions from
clients.
* Fix multiple regular expression and glob memory leaks.
* Don't allocate any memory in fr_fault() as it can cause malloc
to deadlock.
* Temporarily set dumpable flag before calling system in fr_fault()
else the debugger may not be able to attach.
* Set nonblock on all TCP client sockets.
* Fix minor buffer overrun in mschapv2 where some attribute strings
were not correctly \0 terminated.
* Fix crash on authentication failure with MIT kerberos.
* Fix code so that octal escape sequences aren't prematurely unescaped
in rlm_sql, radclient, preprocess, and other places. This may
require configuration changes, as these sequences will no longer
need double escaping (\\) of the backslash.
* The connection pools no longer have one connection used twice
in certain rare conditions.
* Use self pipes for internal signals. The code was there, but was
unused.
* Don't crash if there are outstanding EAP sessions and were told to
exit gracefully.
* Fix typo in dictionary.rfc4072
FreeRADIUS 3.0.2 Fri 21 Mar 2014 08:30:00 EDT urgency=medium
Feature improvements
* secret keys and LDAP / SQL passwords are now printed as
'<<< secret >>>' in debugging mode. Use -Xx to see the
actual passwords.
* Print out more information about passwords in -Xx,
including hashes, comparisons, etc.
* Allow cast (and implicit conversion) of integers to IPv4 addresses
* More xlats allow attribute references. This means they can
operate on binary data. e.g. expr, base64, md5, sha1.
* Added more tests.
* The dictionaries are now auto-loaded. raddb/dictionary
should no longer have $INCLUDE ${prefix}/share/dictionary
* A "panic_action" can be set to have the server dump a gdb
log on SEGV or other fatal error. See radiusd.conf
* Add support for SHA-224, SHA-256, SHA-384, SHA-512 to rlm_pap.
* Add "%{sha256:}" and "%{sha512:}" xlat functions.
* Cache CUI in EAP session resumption.
* templates can now have sub-sections, which will be included
in the section referencing the template.
* Update more dictionaries.
* Added more instances of the "always" module, for all return
codes.
* Suppress broken NASes when proxying. Retransmits which occur
more than once per second are rate-limited to once per second.
* Allow '&' in more xlat expansions.
* Update PostgreSQL schema and queries to record last updated
time, and accounting interim.
* Optimize more "if" conditions when the server loads. This will
avoid work at run time. e.g. ("foo" == "bar") --> FALSE.
* Allow removal of all attributes within a list with !* operator.
* Allow list to list copies with request qualifiers (outer.).
* Add support for ipv4 prefixes and ipv6 addresses and prefixes to
%{integer:}.
* allow radmin command "set module status <module> <code>"
which can be used to forcibly enable/disable modules.
* pap module now assumes Cleartext-Password if Password-With-Header
doesn't have a {...} header.
* Added "unpack" module. It can unpack binary data from horrible
VSA formats. See raddb/mods-available/unpack
* Added example IP Pool for DHCP, using sqlite. From Matthew Newton
See raddb/mods-config/sql/ippool-dhcp/
Bug fixes
* Fix SQL groups.
* Fix operation of fr_strerror() with RE*() macros.
* Don't assert if the connection we're trying to reconnect
is not in_use.
* Fix %{mschap:User-Name} xlat.
* Allow comparisons of signed integers and of ethernet addresses.
* Fix parsing of text-based ascend binary filters.
* Fix a few minor Coverity and clang analyzer issues.
* Log WARNING and ERROR prefixes only once, not twice.
* Fix attribute truncation seen in Perl and other places.
* Use correct port when DHCP relaying.
* Fix behaviour on FreeBSD where sending packets from an interface
bound to an IP address would fail when the server was built with
udpfromto.
* Don't abort() when freeing home servers on exit.
* Fix edge case in pairmove() when some attributes could be over-
written.
* Do checks for individual sqlite v2 functions so rlm_sqlite builds
correctly with more versions of the library.
* In heimdal kerberos, create MEMORY ccaches on a per context basis.
This prevents issues with the root ccache being used.
* Fix corner case with proxying, where home server goes down.
* Rate-limit "max_requests" complaint. We don't want to fill the
logs when something goes wrong.
* Use /dev/urandom for raddb/certs/random, if it exists.
* Issue WARNING that old-style clients should no longer be used.
* Auto-set secret to "radsec" for tcp+tls home servers.
* Fix double free in home_server_add when there is a parse error
on startup.
* rlm_unix checks if the dictionaries are broken, instead of crashing
* Fix potential memory corruption when normalising salted password
hashes from hex, where the combined hash and salt was > 64 bytes.
* Register sqlcounter attributes correctly, and other issues with it
* treat 127.0.0.1/32 as being identical to 127.0.0.1
* Don't mangle error output of SQL drivers like PostgreSQL
* Fix usage of "tls = ${tls}". It could previously cause problems
when the reference was used multiple times.
* Fix TLS session leak for incoming sockets.
* Try harder to clean up memory on exit when using "-mM"
* Fix memory leak when home server is down for RadSec connections
* rate-limit outgoing connection attempts when the home server
is down. It will retry no more than once per second.
* When parsing ipv6 address prefixes, always mask off the host
portion.
* Fix rlm_counter so that it does not create two reply
attributes.
* Fix issues with DHCP Sub-TLVs where the value of the first
Sub-TLV would appear corrupted, and subsequent TLVs would
not appear in debug output.
* Initialize scope in IP address parsing
* Prevent vendor attributes and RFC space attributes from clashing
in rlm_attr_filter.
* Set source IP address for DHCP packets from DHCP-Server-IP-Address,
or DHCP-DHCP-Server-Identifier, if we're unable to otherwise
determine the source IP.
* Fix POST attribute parsing in rlm_rest.
* Fix JSON attribute parsing in rlm_rest.
* Don't append trailing & to POST options in rlm_rest (minor).
* Process HTTP 100 Continue messages correctly in rlm_rest
* Fix generation of long > 512 byte POST payloads, where attribute
values on the chunk boundary may have been omitted in rlm_rest.
* Remove duplicate escape sequence parsing in rlm_sqlippool and
rlm_sqlcounter which caused issues with escaping %. Escape
sequence parsing is now handled purely by the xlat functions.
* Ensure %% is treated as a string literal, and so not passed to any
xlat escape functions for processing.
* Correct calculation of Message-Authenticator
for CoA packets. Closes #556
FreeRADIUS 3.0.1 Mon 13 Jan 2014 14:30:00 EDT urgency=medium
Feature improvements
* Add "timeout" to exec, and "ntlm_auth_timeout" to mschap.
So that run-away child processes are caught earlier.
* Allow TLS clients to use "proto = tls", in which case
TLS is required. The shared secret is then set to "radsec".
* More documentation in the tls virtual server.
* Add "date" module for date formatting.
See raddb/mods-available/date.
* Added unit test suite for internal server functionality
* When loading "update" sections, check if the RHS is a literal
value. If so, syntax check it immediately.
* Update LDAP module documentation and functionality.
The generic attribute can now update lists.
* Updated dictionary.extreme.
* Update sqlippool to do clears as a separate transaction,
and at most once per second. This should help MySQL.
* Respect control:Response-Packet-Type for all types of
requests.
* Add support for SSL encryption to the MySQL driver.
* Allow arbitrary connection parameters to be used with the
PostgreSQL driver.
* Changes to the OpenLDAP schema to fully expose functionality
of the new LDAP module.
* Update debian packaging to include a freeradius-config
package. This package may be provided as a site local
package to avoid fighting with the preinstalled config
files.
Bug fixes
* Use correct field for ARP setting in DHCP.
* Fix crash on debug condition (#454).
* Fix a number of minor issues caught by the clang
analyzer.
* Set WARNING messages to yellow instead of normal text.
* Correct debug colorise logic. Patch from Phil Mayers.
* Encode attributes of type "ethernet". No one uses them,
but it makes sense.
* Work around regex initialization issues.
* Fix build when linking against OpenSSL.
* Print IDs as positive numbers, which helps for large DHCP
XIDs.
* Fix issue with sql_ippool.
* sqlcounter now uses 64-bit counters, to deal with 4G overflow.
* Fix issues with DHCP subsystem.
* Don't build / install disabled modules, or their config
files.
* Fix build for OSX Mavericks, which hid the header files
in a magical place.
* Fix LEAP buffer issue. You should still avoid LEAP.
* Mark "unknown" WiMAX attributes as being WiMAX.
* Fix typo in packet decoder for fragmented extended attrs
* RPM spec fixes.
* Fix rlm_perl build issues when not using threads.
* Enable %{Response-Packet-Type} again.
* Update configuration file parser to handle "bool"
consistently.
* Update declarations of global boolean variables to use
"bool" consistently. This fixes an issue where some
modules were instantiated in "config check" mode and
did not work correctly.
* Make more messages debug instead of info, to avoid
polluting the logs with messages that can't be fixed.
* Set operator in internal unlang code to suppress spurious
warning messages.
* Fix debian packaging.
* Added "status" to Debian init script.
* Fix "update outer.request" to update the outer request.
* Don't print TLS debugging messages when not in debug mode.
* Correctly manage counters for "limit" sections of TCP / TLS
"listen" sockets.
* Fix libldap debug output.
* Fix rlm_ldap tls functionality.
* Initialise OpenSSL globals early to avoid issues with the
PostgreSQL library.
* Fix typo in sqlcounter expansion code. Fixes #463
* Overwrite previous instances of SQL-User-Name when adding
it to the request.
* Work around bugs in both MIT and heimdal versions of
krb5_copy_context(), which caused segfaults in
multithreaded mode.
* Provide meaningful error messages if Heimdal krb5 is used.
* Fix attribute supression in rlm_detail.
* Exit with error code if child fails to complete server
initialisation after forking. This allows init scripts to
correctly report whether the server started ok.
FreeRADIUS 3.0.0 Mon 7 Oct 2013 15:48:14 EDT urgency=medium
Feature improvements
* Documentation for upgrading from 2.x is in raddb/README.rst
Please follow it. It will make the upgrade easier.
* Moved configuration entries in radiusd.conf to make more sense.
* Added the "integer64" and "ipv4prefix" data types.
* Added RADIUS over TLS (i.e. RadSec). See raddb/sites-available/tls
* Updated internal API to support new attributes and formats
* Added code to send SNMP Traps. See raddb/trigger.conf.
* Added preliminary support for Apple's Grand Central Dispatch
* Added provisions for raddb/dictionary.local, for local changes.
See raddb/dictionary for more details.
* Added packet/s tracking. See max_pps in the "listen" section.
* The %{} expansions and "unlang" conditions are now parsed at server
start. Descriptive errors are produced for syntax and format errors.
* Casting is now supported for "unlang" comparisons. See "man unlang"
e.g. <ipaddr>127.0.0.1 == Framed-IP-Address.
* Direct comparison of attribute references is now supported.
e.g. &Foo == &Bar. This avoids stringification of the attributes.
* Direct assignment of attributes is now supported.
e.g. Foo := &Bar. It also works for "octets" data types.
* Comparisons of IPv4 and IPv6 prefixes are now supported.
The "<" operator means "within the prefix" for comparisons.
* New sha1 xlat expansion (thanks to Alan Buxey)
* Colourised log messages when logging to stdout. Look for yellow
warnings and red errors. Doing this will save you a LOT of grief.
* If the PCRE library is available, use it (insted of the POSIX
functions) to process regular expressions (thanks to Phil Mayers).
* -xv now displays all the features the server was built with, and
the versions of the core libraries (libtalloc, libssl).
Module Changes
* Moved raddb/modules/ to raddb/mods-available/, and raddb/mods-enabled/,
following the examples of other projects.
* Additional files for each module are now in raddb/mods-config/.
See raddb/mods-config/README.rst for documentation.
* Moved "users" to raddb/mods-config/files/authorize
* Moved "hints" and "huntgroups" to raddb/mods-config/preprocess/
* Moved eap.conf to mods-available/eap
* Moved sql.conf to mods-available/sql
* Moved TLS configuration for EAP into a common subsection.
See raddb/mods-available/eap, "tls-config" section.
* Added for MS-CHAP Change Password from Phil Mayers.
See raddb/mods-available/mschap, "passchange" subsection.
* Added EAP-PWD implementation from Dan Harkins
* Added connection pools for modules. This unifies connection
management which was previously different for different modules.
* SQL now uses the connection pool. See mods-available/sql
* SQL now supports arbitrary Acct-Status-Types.
These changes are not compatible with 2.x.
* SQL now has full support for SQLite. See raddb/sql/main/sqlite/
* SQLite supports auto-creation of new databases on server startup for
bootstrapping purposes.
* LDAP now uses the connection pool. The LDAP module has been
completely re-written for performance and simplicity.
* LDAP now caches groups. This makes multiple group checks MUCH
faster.
* Removed all limitations on 253 octet attributes. RFC 6929 allows
for attributes up to 4K in length.
* New rlm_idn module providing an expansion for performing IDNA encoding
of internationalized domain names. Thanks to 'skids'.
* New rlm_yubikey module to validate yubikey OTP tokens.
See raddb/modules/yubikey
Bug fixes
* All known bug fixes from 2.2.x are included.
* Removed "addport" functionality.
* Removed many unused or duplicate modules. See raddb/README.rst.
Internal / API changes:
* All traces of the old build system have been removed.
The new build system is faster and simpler.
* clang is fully supported.
* We now use "talloc" for memory management. A number of new
features required this change. Thanks to the Samba people!
* Many internal APIs have been updated to use talloc.
* New API for iterating over VALUE_PAIRs. This is in preparation
for attributes, in version 3.1.
* No new code should directly modify any field of a VALUE_PAIR.
* VALUE_PAIRs contain pointers to DICT_ATTR instead of containing
attribute and vendor fields. This will allow nested attributes.
* Some protocol specific code has been moved out into proto_* modules.
More will come in subsequent versions. See proto_dhcp and proto_vmps.
* Standardised internal logging macros. radlog() should not be used.
See src/include/log.h
* Use OpenSSL hashing functions when available.
* The server now builds with no warnings on most platforms.
* New RADIUS encoder/decoder, to support new formats.
* Added RFC 6929 "extended attributes", via the new encoder/decoder.
* Added full WiMAX support, via the new encoder/decoder. The old
code could not handle some unusual corner cases.
distrib
>
Mageia
>
7
>
armv7hl
>
media
>
core-release
>
by-pkgid
>
6298fa72b6ad6a392dc9442fe0ec1082
>
files
>
336
