[freeradius.git] / doc / ChangeLog

FreeRADIUS 3.0.4 Mon 12 May 2014 15:30:00 EDT urgency=medium
        Feature improvements
        * Home server "response_window" can now take fractions of a
          second.  See proxy.conf.
        * radmin now supports "show module status", as the counterpart
          to "set module status"
        * Added dictionary ericsson.packet.ccore.networks
        * Add %{tag:} expansion to get the tag value of an attribute.
        * Report 'application_name' in connections to PostgreSQL servers.
          FreeRADIUS connections will now appear as
          'FreeRADIUS <version> - <name>' in pg_stat_activity.
        * All config item fields are now type checked at compile time
          to prevent issues similar to #634 occuring again.
        * Modify pairparsevalue to deal with embedded NULLs better,
          and use the binary versions of attribute values in rlm_ldap.
        * "ipaddr" will now use v6 if no v4 address is present.  You should
          use "ipv4addr" or "ipv6addr" to force v4/v6 addresses.
        * The above applies to "listen", "home_server", and "client" sections.
        * "client" sections will allow prefixes as "192.192.0/24".  The old
          "netmask" is still accepted, but the new format is preferred.
        * Allow custom HTTP headers to be set for rlm_rest requests using
          control:REST-HTTP-Header (attributes consumed after use).
        * Extend format of %{rest:} expansion to allow HTTP method and POST
          data to be specified
          e.g. %{rest:POST http://example.org/api foo=bar&baz=boink}.
        * Add %{hmacsha1:&data &key} and %{hmacmd5:&data &key} expansions
          for signing data in requests.
        * rlm_cache now consumes its control attributes to make runtime
          configuration easier.
        * Add control:Cache-Read-Only which when set to 'yes' will make the
          cache module merge existing cache data, but not create new entries.
        * Add %{unescape:} and %{urlunquote:} expansions to reverse escaping
          and urlquoting.
        * Add support for aliases in rlm_ldap.

        Bug fixes
        * make case-insensitive regular expressions work again.
        * Added tests for the above
        * A few more talloc parenting issues
        * Fix delayed proxy reply handling.  Closes #637
        * Fix OpenSSL initialization order when using
          RADIUS/TLS.  Fixes #646
        * Don't double-quote strings in debugging messages
        * Fix foreach / break.  Fixes #639
        * Chargeable-User-Identifier should be "octets"
        * Fix typo in mainconfig.  Fixes #634
        * More rlm_perl fixes.  Fixes #635
        * Free OpenSSL memory on clean exit.
        * Fix <attr>[0] !* ANY - Was removing all instances of <attr>
        * Fix case where multiple attributes were returned from LHS of
          mapping, as with rlm_ldap. Fixes #652
        * Fix corner case in cursor where using fr_cursor_next_by_da
          after calling fr_cursor_remove may of resulted in a read of
          uninitialised memory.
        * Don't SEGV if all connections to a database server go away.
          Fixes #651.
        * Fix issue where <attr> -= <value> was not removing tagged
          instances of <attr> equal to <value> (only untagged).
        * Fix issue where tag values were not being set on attributes
          created with unlang/ldap update blocks.
        * Create rlm_sqlcounter attributes as integer64 types instead
          of integer types, so large counter values can be specified.
        * Fix issue where specifying a dynamic client IP addresss using
          FreeRADIUS-Client-IPv6-Prefix or FreeRADIUS-Client-IP-Prefix
          may have caused a validation error.
        * Don't print two "&" for messages about attribute or list
          references.
        * Fix urlquote and escape to encode Unicode characters correctly.
        * Fix redundant-load-balance blocks to try other modules in
          the group if one fails.
        * Fix issue with rlm_pap password normalisation where
          'known good' password strings stored in octets type attributes,
          would be sometimes misnormalised as base64.
        * Don't stop processing DHCP options if we fine a 0x00 padding
          option.

FreeRADIUS 3.0.3 Mon 12 May 2014 15:30:00 EDT urgency=medium
        Feature improvements
        * Everything now builds with no warnings from the C compiler,
          clang static analyzer, or cppcheck.
        * rlm_ldap now supports defining the LDAP attribute name via
          backticked expansion (i.e. shell command) in
          RADIUS <-> LDAP mappings.
        * rlm_ldap now supports older style generic attributes.
        * dynamic expansions (e.g. "%{expr:1 + 2}" are now parsed
          when the server starts.  Syntax errors in the strings
          are caught, and a descriptive error is printed.
        * Static regular expressions (e.g. /a*b/) are now parsed
          when the server starts.  Syntax errors in the strings
          are caught, and a descriptive error is printed.
        * dynamic expansions are cached after being parsed.  They are
          no longer re-parsed at run-time for every request.
        * regular expressions are now parsed and cached when the server
          starts.
        * Added the %{rest:} expansion to rlm_rest, which will send
          a GET request to the URL passed as the format string.
          Any body text will be written to the expansion buffer.
        * rlm_rest now available as a debian package.
        * When an 'if' condition statically evaluates to true/false,
          unlang does more static optimization.  For examples, see
          src/tests/keywords/if-skip
        * All modules are marked as safe for '-C', which lets the
          dynamic expansion checks work in more situations.
        * Added 'none' and 'custom' rlm_rest body types. 'custom'
          allows sending of arbitrary expanded text and content-type
          headers.
        * Added "config" section to Perl.  See mods-available/perl
        * Added '%v' which expands to the server version - Patch
          from Alan Buxey.
        * more mis-matched casts are caught in "if" conditions,
          and descriptive errors are printed.
        * Support basic response validation in radclient. This allows
          administrators to write local test cases for their
          site-specific configurations.
        * Removed radconf2xml and radmin "show client config" and
          "show home_server config".
        * Forbid running with vulnerable versions of OpenSSL.
          See "allow_vulnerable_openssl" in the "security"
          subsection of "radiusd.conf"
        * Catch underlying "heartbleed" problem, so that nothing bad
          happens even when using a vulnerable version of OpenSSL.
        * Add locking API for sql_null, linelog, and detail modules,
          which should improve performance and work around issues
          on platforms with bad file locking.
        * Allow DHCP NAKs to be delayed, via setting
          reply:FreeRADIUS-Response-Delay = 1
        * Allow tag and array references anywhere attributes
          are allowed in "unlang".
        * many enhancements to radsniff, including output
          to collectd, ipv6 support and packet loss statistics.
        * Many dictionary updates (ZTE, Brocade, Motorola).
        * rlm_yubikey now automatically splits passwords from OTP
          strings.
        * The detail file reader is now threaded by default.
          This should improve performance reading the files.

        Bug fixes
        * Fix xlat expression %{attribute[n]} so that it actually
          returns the n'th attribute instead of the first one.
        * Don't parse string on RHS of update {} when using unary
          operators (!*).  The RHS should always be ignored.
        * Check for more optional functions in json-c so we can
          Build with libjson0, which is the name of the json-c package
          on debian/ubuntu.
        * Fix issue in radmin where the main dictionaries would
          not be loaded which, depending on the configuration, may
          have caused validation errors.
        * Fix handling of "%{reply:3GPP-*}"
        * Fix rlm_perl garbage attributes
        * Fix oracle SQL queries, which amongst other things still
          used the old expansion format, which is no longer
          supported/parsed.
        * Truncate long format strings and error markers instead of
          omitting them.
        * Fix multiple attribute parsing in rlm_rest JSON.
        * Don't crash in rlm_rest if connect_uri is commented out
          in the configuration.
        * Don't double-escape strings to / from Perl.  You may need
          to double-check your Perl scripts if they use "\" characters.
          See mods-available/perl for documentation.
        * Don't re-run "authorize" if a home server fails to respond.
        * Don't append "0x" to hex output of octets types, for xlat
          expansions.  This is the same as v2, and makes it easier
          to concatenate multiple attributes of type "octets"
        * FreeBSD fixes for execinfo linking.
        * Make some of the module configurations more consistent.
        * Fix corner cases where STDOUT wouldn't be closed in
          daemon mode.
        * Re-enable "update coa" and originating CoA requests.
        * Prevent multiple threads writing to the sql query logs.
        * Fix zombie period calculation.  Closes #579
        * Properly parent VPs for talloc, when moving them in map2request.
        * Various fixes for talloc parent / child relationships
        * Allow rlm_counter to support VSAs.
        * Normalize return codes for many modules. "do nothing" is noop,
          not "ok".
        * Run Post-Proxy-Type Fail.  Closes #576
        * Fix DHCP destination port for replies to relays.  Closes #591
        * Do-Not-Respond policy works again  Closes #593
        * Proxy-To-Virtual-Server works again.  Closes #596
        * Build fixes for ancient systems.  Closes #607, #608, #609.
        * %{Module-Return-Code} works again.  Closes #610.
        * Don't increment statistics for Status-Server responses.
          Closes #612.
        * A duplicate request isn't a duplicate if the original one
          is marked "done".  This should lower retransmissions from
          clients.
        * Fix multiple regular expression and glob memory leaks.
        * Don't allocate any memory in fr_fault() as it can cause malloc
          to deadlock.
        * Temporarily set dumpable flag before calling system in fr_fault()
          else the debugger may not be able to attach.
        * Set nonblock on all TCP client sockets.
        * Fix minor buffer overrun in mschapv2 where some attribute strings
          were not correctly \0 terminated.
        * Fix crash on authentication failure with MIT kerberos.
        * Fix code so that octal escape sequences aren't prematurely unescaped
          in rlm_sql, radclient, preprocess, and other places. This may
          require configuration changes, as these sequences will no longer
          need double escaping (\\) of the backslash.
        * The connection pools no longer have one connection used twice
          in certain rare conditions.
        * Use self pipes for internal signals.  The code was there, but was
          unused.
        * Don't crash if there are outstanding EAP sessions and were told to
          exit gracefully.
        * Fix typo in dictionary.rfc4072

FreeRADIUS 3.0.2 Fri 21 Mar 2014 08:30:00 EDT urgency=medium
        Feature improvements
        * secret keys and LDAP / SQL passwords are now printed as
          '<<< secret >>>' in debugging mode.  Use -Xx to see the
          actual passwords.
        * Print out more information about passwords in -Xx,
          including hashes, comparisons, etc.
        * Allow cast (and implicit conversion) of integers to IPv4 addresses
        * More xlats allow attribute references.  This means they can
          operate on binary data.  e.g. expr, base64, md5, sha1.
        * Added more tests.
        * The dictionaries are now auto-loaded.  raddb/dictionary
          should no longer have $INCLUDE ${prefix}/share/dictionary
        * A "panic_action" can be set to have the server dump a gdb
          log on SEGV or other fatal error.  See radiusd.conf
        * Add support for SHA-224, SHA-256, SHA-384, SHA-512 to rlm_pap.
        * Add "%{sha256:}" and "%{sha512:}" xlat functions.
        * Cache CUI in EAP session resumption.
        * templates can now have sub-sections, which will be included
          in the section referencing the template.
        * Update more dictionaries.
        * Added more instances of the "always" module, for all return
          codes.
        * Suppress broken NASes when proxying.  Retransmits which occur
          more than once per second are rate-limited to once per second.
        * Allow '&' in more xlat expansions.
        * Update PostgreSQL schema and queries to record last updated
          time, and accounting interim.
        * Optimize more "if" conditions when the server loads.  This will
          avoid work at run time.  e.g. ("foo" == "bar") --> FALSE.
        * Allow removal of all attributes within a list with !* operator.
        * Allow list to list copies with request qualifiers (outer.).
        * Add support for ipv4 prefixes and ipv6 addresses and prefixes to
          %{integer:}.
        * allow radmin command "set module status <module> <code>"
          which can be used to forcibly enable/disable modules.
        * pap module now assumes Cleartext-Password if Password-With-Header
          doesn't have a {...} header.
        * Added "unpack" module.  It can unpack binary data from horrible
          VSA formats.  See raddb/mods-available/unpack
        * Added example IP Pool for DHCP, using sqlite.  From Matthew Newton
          See raddb/mods-config/sql/ippool-dhcp/

        Bug fixes
        * Fix SQL groups.
        * Fix operation of fr_strerror() with RE*() macros.
        * Don't assert if the connection we're trying to reconnect
          is not in_use.
        * Fix %{mschap:User-Name} xlat.
        * Allow comparisons of signed integers and of ethernet addresses.
        * Fix parsing of text-based ascend binary filters.
        * Fix a few minor Coverity and clang analyzer issues.
        * Log WARNING and ERROR prefixes only once, not twice.
        * Fix attribute truncation seen in Perl and other places.
        * Use correct port when DHCP relaying.
        * Fix behaviour on FreeBSD where sending packets from an interface
          bound to an IP address would fail when the server was built with
          udpfromto.
        * Don't abort() when freeing home servers on exit.
        * Fix edge case in pairmove() when some attributes could be over-
          written.
        * Do checks for individual sqlite v2 functions so rlm_sqlite builds
          correctly with more versions of the library.
        * In heimdal kerberos, create MEMORY ccaches on a per context basis.
          This prevents issues with the root ccache being used.
        * Fix corner case with proxying, where home server goes down.
        * Rate-limit "max_requests" complaint.  We don't want to fill the
          logs when something goes wrong.
        * Use /dev/urandom for raddb/certs/random, if it exists.
        * Issue WARNING that old-style clients should no longer be used.
        * Auto-set secret to "radsec" for tcp+tls home servers.
        * Fix double free in home_server_add when there is a parse error
          on startup.
        * rlm_unix checks if the dictionaries are broken, instead of crashing
        * Fix potential memory corruption when normalising salted password
          hashes from hex, where the combined hash and salt was > 64 bytes.
        * Register sqlcounter attributes correctly, and other issues with it
        * treat 127.0.0.1/32 as being identical to 127.0.0.1
        * Don't mangle error output of SQL drivers like PostgreSQL
        * Fix usage of "tls = ${tls}".  It could previously cause problems
          when the reference was used multiple times.
        * Fix TLS session leak for incoming sockets.
        * Try harder to clean up memory on exit when using "-mM"
        * Fix memory leak when home server is down for RadSec connections
        * rate-limit outgoing connection attempts when the home server
          is down.  It will retry no more than once per second.
        * When parsing ipv6 address prefixes, always mask off the host
          portion.
        * Fix rlm_counter so that it does not create two reply
          attributes.
        * Fix issues with DHCP Sub-TLVs where the value of the first
          Sub-TLV would appear corrupted, and subsequent TLVs would
          not appear in debug output.
        * Initialize scope in IP address parsing
        * Prevent vendor attributes and RFC space attributes from clashing
          in rlm_attr_filter.
        * Set source IP address for DHCP packets from DHCP-Server-IP-Address,
          or DHCP-DHCP-Server-Identifier, if we're unable to otherwise
          determine the source IP.
        * Fix POST attribute parsing in rlm_rest.
        * Fix JSON attribute parsing in rlm_rest.
        * Don't append trailing & to POST options in rlm_rest (minor).
        * Process HTTP 100 Continue messages correctly in rlm_rest
        * Fix generation of long > 512 byte POST payloads, where attribute
          values on the chunk boundary may have been omitted in rlm_rest.
        * Remove duplicate escape sequence parsing in rlm_sqlippool and
          rlm_sqlcounter which caused issues with escaping %. Escape
          sequence parsing is now handled purely by the xlat functions.
        * Ensure %% is treated as a string literal, and so not passed to any
          xlat escape functions for processing.
        * Correct calculation of Message-Authenticator
          for CoA packets.  Closes #556

FreeRADIUS 3.0.1 Mon 13 Jan 2014 14:30:00 EDT urgency=medium
        Feature improvements
        * Add "timeout" to exec, and "ntlm_auth_timeout" to mschap.
          So that run-away child processes are caught earlier.
        * Allow TLS clients to use "proto = tls", in which case
          TLS is required.  The shared secret is then set to "radsec".
        * More documentation in the tls virtual server.
        * Add "date" module for date formatting.
          See raddb/mods-available/date.
        * Added unit test suite for internal server functionality
        * When loading "update" sections, check if the RHS is a literal
          value.  If so, syntax check it immediately.
        * Update LDAP module documentation and functionality.
          The generic attribute can now update lists.
        * Updated dictionary.extreme.
        * Update sqlippool to do clears as a separate transaction,
          and at most once per second.  This should help MySQL.
        * Respect control:Response-Packet-Type for all types of
          requests.
        * Add support for SSL encryption to the MySQL driver.
        * Allow arbitrary connection parameters to be used with the
          PostgreSQL driver.
        * Changes to the OpenLDAP schema to fully expose functionality
          of the new LDAP module.
        * Update debian packaging to include a freeradius-config
          package. This package may be provided as a site local
          package to avoid fighting with the preinstalled config
          files.

        Bug fixes
        * Use correct field for ARP setting in DHCP.
        * Fix crash on debug condition (#454).
        * Fix a number of minor issues caught by the clang
          analyzer.
        * Set WARNING messages to yellow instead of normal text.
        * Correct debug colorise logic.  Patch from Phil Mayers.
        * Encode attributes of type "ethernet".  No one uses them,
          but it makes sense.
        * Work around regex initialization issues.
        * Fix build when linking against OpenSSL.
        * Print IDs as positive numbers, which helps for large DHCP
          XIDs.
        * Fix issue with sql_ippool.
        * sqlcounter now uses 64-bit counters, to deal with 4G overflow.
        * Fix issues with DHCP subsystem.
        * Don't build / install disabled modules, or their config
          files.
        * Fix build for OSX Mavericks, which hid the header files
          in a magical place.
        * Fix LEAP buffer issue.  You should still avoid LEAP.
        * Mark "unknown" WiMAX attributes as being WiMAX.
        * Fix typo in packet decoder for fragmented extended attrs
        * RPM spec fixes.
        * Fix rlm_perl build issues when not using threads.
        * Enable %{Response-Packet-Type} again.
        * Update configuration file parser to handle "bool"
          consistently.
        * Update declarations of global boolean variables to use
          "bool" consistently. This fixes an issue where some
          modules were instantiated in "config check" mode and
          did not work correctly.
        * Make more messages debug instead of info, to avoid
          polluting the logs with messages that can't be fixed.
        * Set operator in internal unlang code to suppress spurious
          warning messages.
        * Fix debian packaging.
        * Added "status" to Debian init script.
        * Fix "update outer.request" to update the outer request.
        * Don't print TLS debugging messages when not in debug mode.
        * Correctly manage counters for "limit" sections of TCP / TLS
          "listen" sockets.
        * Fix libldap debug output.
        * Fix rlm_ldap tls functionality.
        * Initialise OpenSSL globals early to avoid issues with the
          PostgreSQL library.
        * Fix typo in sqlcounter expansion code.  Fixes #463
        * Overwrite previous instances of SQL-User-Name when adding
          it to the request.
        * Work around bugs in both MIT and heimdal versions of
          krb5_copy_context(), which caused segfaults in
          multithreaded mode.
        * Provide meaningful error messages if Heimdal krb5 is used.
        * Fix attribute supression in rlm_detail.
        * Exit with error code if child fails to complete server
          initialisation after forking.  This allows init scripts to
          correctly report whether the server started ok.

FreeRADIUS 3.0.0 Mon  7 Oct 2013 15:48:14 EDT urgency=medium
        Feature improvements
        * Documentation for upgrading from 2.x is in raddb/README.rst
          Please follow it.  It will make the upgrade easier.
        * Moved configuration entries in radiusd.conf to make more sense.
        * Added the "integer64" and "ipv4prefix" data types.
        * Added RADIUS over TLS (i.e. RadSec). See raddb/sites-available/tls
        * Updated internal API to support new attributes and formats
        * Added code to send SNMP Traps.  See raddb/trigger.conf.
        * Added preliminary support for Apple's Grand Central Dispatch
        * Added provisions for raddb/dictionary.local, for local changes.
          See raddb/dictionary for more details.
        * Added packet/s tracking. See max_pps in the "listen" section.
        * The %{} expansions and "unlang" conditions are now parsed at server
          start. Descriptive errors are produced for syntax and format errors.
        * Casting is now supported for "unlang" comparisons.  See "man unlang"
          e.g. <ipaddr>127.0.0.1 == Framed-IP-Address.
        * Direct comparison of attribute references is now supported.
          e.g. &Foo == &Bar.  This avoids stringification of the attributes.
        * Direct assignment of attributes is now supported.
          e.g. Foo := &Bar.  It also works for "octets" data types.
        * Comparisons of IPv4 and IPv6 prefixes are now supported.
          The "<" operator means "within the prefix" for comparisons.
        * New sha1 xlat expansion (thanks to Alan Buxey)
        * Colourised log messages when logging to stdout.  Look for yellow
          warnings and red errors.  Doing this will save you a LOT of grief.
        * If the PCRE library is available, use it (insted of the POSIX
          functions) to process regular expressions (thanks to Phil Mayers).
        * -xv now displays all the features the server was built with, and
          the versions of the core libraries (libtalloc, libssl).

        Module Changes
        * Moved raddb/modules/ to raddb/mods-available/, and raddb/mods-enabled/,
          following the examples of other projects.
        * Additional files for each module are now in raddb/mods-config/.
          See raddb/mods-config/README.rst for documentation.
        * Moved "users" to raddb/mods-config/files/authorize
        * Moved "hints" and "huntgroups" to raddb/mods-config/preprocess/
        * Moved eap.conf to mods-available/eap
        * Moved sql.conf to mods-available/sql
        * Moved TLS configuration for EAP into a common subsection.
          See raddb/mods-available/eap, "tls-config" section.
        * Added for MS-CHAP Change Password from Phil Mayers.
          See raddb/mods-available/mschap, "passchange" subsection.
        * Added EAP-PWD implementation from Dan Harkins
        * Added connection pools for modules. This unifies connection
          management which was previously different for different modules.
        * SQL now uses the connection pool.  See mods-available/sql
        * SQL now supports arbitrary Acct-Status-Types.
          These changes are not compatible with 2.x.
        * SQL now has full support for SQLite.  See raddb/sql/main/sqlite/
        * SQLite supports auto-creation of new databases on server startup for
          bootstrapping purposes.
        * LDAP now uses the connection pool.  The LDAP module has been
          completely re-written for performance and simplicity.
        * LDAP now caches groups.  This makes multiple group checks MUCH
          faster.
        * Removed all limitations on 253 octet attributes.  RFC 6929 allows
          for attributes up to 4K in length.
        * New rlm_idn module providing an expansion for performing IDNA encoding
        of internationalized domain names.  Thanks to 'skids'.
        * New rlm_yubikey module to validate yubikey OTP tokens.
          See raddb/modules/yubikey

        Bug fixes
        * All known bug fixes from 2.2.x are included.
        * Removed "addport" functionality.
        * Removed many unused or duplicate modules.  See raddb/README.rst.

        Internal / API changes:
        * All traces of the old build system have been removed.
          The new build system is faster and simpler.
        * clang is fully supported.
        * We now use "talloc" for memory management.  A number of new
          features required this change.  Thanks to the Samba people!
        * Many internal APIs have been updated to use talloc.
        * New API for iterating over VALUE_PAIRs.  This is in preparation
          for attributes, in version 3.1.
        * No new code should directly modify any field of a VALUE_PAIR.
        * VALUE_PAIRs contain pointers to DICT_ATTR instead of containing
          attribute and vendor fields.  This will allow nested attributes.
        * Some protocol specific code has been moved out into proto_* modules.
          More will come in subsequent versions.  See proto_dhcp and proto_vmps.
        * Standardised internal logging macros.  radlog() should not be used.
          See src/include/log.h
        * Use OpenSSL hashing functions when available.
        * The server now builds with no warnings on most platforms.
        * New RADIUS encoder/decoder, to support new formats.
        * Added RFC 6929 "extended attributes", via the new encoder/decoder.
        * Added full WiMAX support, via the new encoder/decoder.  The old
          code could not handle some unusual corner cases.