Note TLS issues

[freeradius.git] / doc / ChangeLog

FreeRADIUS 3.0.8 Thu 19 Feb 2015 12:00:00 EDT urgency=medium
        Feature improvements
        * Allow syslog_severity to be set in rlm_linelog.
        * Allow defaults to be set for bulk clients in LDAP and couchbase.
        * Updates to dhcpclient.  Patches from Nicolas C.
        * rlm_mschap now supports direct connections to winbind, which
          is faster than ntlm_auth.  See raddb/mods-available/mschap.
          Patch from Matthew Newton.
        * Recommend /dev/urandom for TLS randomness, instead of
          ${certdir}/random
        * Allow TLSv1 to be disabled via "disable_tlsv1" in tls{}.
        * Allow Expanded EAP types where vendor is 0 (IETF) and
          type is normal EAP type.  Supplicants sending Expanded
          EAP types like this are broken.

        Bug fixes
        * Don't complain about "authorize" in "server {}" blocks, but
          only if there's no "server" block.
        * Fix cosmetic issue where debug from the first packet read by
          a detail reader thread would be emited during config parsing.
        * Fix ASSERT on truncated detail packets.
        * Don't use main server log functions from within panic_action,
          as in the case of syslog this would cause deadlocks if the
          fault was triggered from within a malloc.
        * Fix issue in "switch" when "correct_escapes = false".
          Fixes #911.
        * Fix sqlcounter configuration to use "%%b" instead of "%b",
          otherwise the new syntax validation will fail.
        * Allow forward references in configuration items.  Modules
          aren't always loaded in a sane order.
        * Fix more escaping issues.  Closes #912.
        * Decode MAC addresses correctly for VMPS.
        * Fix memory leak with TLS connections.
        * Fix state machine threading issues for conflicting packets.
        * Fix copy_request_to_tunnel issues for tagged attributes.
        * Allow "ok" to over-ride "updated" inside of Auth-Type sections.
        * Update state machine so that post-proxy is run though child
          threads for performance, instead of blocking the main thread.
        * Allow "netmask" to work again in client definitions.
        * Relax restrictions on SQL group queries.
        * track outgoing proxy sockets and clean them up more aggressively.
        * track proxy statistics, including CoA and Disconnect.
        * If radmin has a connection failure when running a command,
          it re-connects and runs the command again.
        * mark home servers "unknown" less aggressively.
        * Fix potential SEGV in PostgreSQL driver on error.
        * Fix issue where fields like nas_type would not be accessible via
          the %{client:} xlat, for dynamic clients.
        * Set default busy_timeout (of 200ms) in the sqlite driver, so writes
          don't cause selects to fail in multithreaded mode. This is user
          configurable, and may be increased if required.
        * Convert Password-With-Header attributes to binary (from hex or
          base64), in the authorize method of rlm_pap.
        * Fix invalid assert in state.c, that could cause abort in
          post-auth.
        * Fix double free when -m flag is used, and connection pools are
          referenced by multiple modules.
        * RADIUS over TLS accounting uses the same port as authentication.
        * Regularized return codes from radmin commands.
        * Fix RHEL spec file so it works correctly for Centos7 which uses
          systemd, and didn't like the SystemV init script.
        * radwho and radlast now have a -D option to load dictionaries
        * DHCP packets are no longer checked for duplicates.
        * Don't crash in sql module group comparisons in corner case.
        * Calculate MPPE keys correctly when using TLS 1.2.
        * Fix load-balance sections.  Closes #945
        * TLS certificates are available again in the post-auth section.
          They are not available for session resumption.

FreeRADIUS 3.0.7 Thu 19 Feb 2015 12:00:00 EDT urgency=medium
        Feature improvements
        * Allow coa home_servers to be derived from client
          sections if a coa_server section is provided.
        * Automatically determine the correct port if no port is
          provided for a home server.
        * Allow foreach to operate over lists.
        * Add compile time features to ${feature.*} and versions
          of core libraries to ${version.*}.  Feature and version
          names match output of radiud -xv. %v is now deprecated.
        * Add support for PATCH method in rlm_rest.
        * Validate more module xlats on startup, and warn if an
          xlat expansion is found in a double quoted config item
          which will not be expanded.
        * Add support for sub-second timeouts in rlm_rest.
        * Add support for connection timeouts in rlm_rest.
        * Add %{jsonquote:<str>} xlat to escape strings for insertion
          into json documents.
        * Add %{ldapquote:<str>} xlat to escape strings for insertion
          into ldap DNs.
        * Add %{explode:&ref <char>}, splits value of &ref on
          <char> and creates new &ref type attributes with the
          fragments.
        * Allow rlm_ldap to use attribute references for base_dn and
          filter config items. The attribute references are not
          escaped, allowing DNs and filters to be created dynamically.
        * Add %{nexttime:[<int>]h|d|w|y} to calculate the number of
          seconds before the next <int> hour(s), day(s), week(s),
          or year(s).
        * Allow the left side of update sections to be xlat expansions.
          The result of the expansion is then used to reference the
          attribute to be modified.
        * Added %{lpad:&Attribute-Name 7 x} and rpad.  These produce
          fixed-width output strings, with padding to the left (lpad)
          or the right (rpad).
        * For some SQL drivers (MySQL, sqlite) distinguish between
          constraints violations (on insert), invalid queries, and
          server errors, and return noop, invalid, and error respectively.
        * Call SHOW WARNINGS in the MySQL driver and write them to
          the request log, if libmysqlclient indicates warnings are
          available on the server.
        * Forbid the creation of Vendor-Specific for non-standard
          VSAs.  Use Attr-26 = 0x... instead.
        * Make dhcpclient work with raw sockets and various other
          improvements - Contributed by nchaigne
        * Add support for SSHA2 - Contributed by PDD.
        * Add perle dictionary - Contributed by Hachmer
        * Modernise init scripts for RHEL, SUSE and Debian.
        * radmin now tracks the return code of commands, and exits
          with status "1" if any command failed to execute.
        * radmin now sends error messages from the server to
          stderr, instead of to stdout.
        * radmin now looks for sockets matching it's UID and GID,
          rather than just always using the first one it finds.
        * radmin can how delete clients which are tied to a listener.
        * Moved RADIUS attribute definitions to src/include/rfc*.h
        * Move to talloc pools for requests.  For in-memory tests
          (default config, 'users' file), performance increases by 30%.
        * In rlm_ldap allow sasl_mech to be specified for admin and
          user binds. Only non-interactive mechs (like EXTERNAL)
          are currently supported.
        * Remove support for ephemeral RSA keys.  They were "export only",
          and should not be used by anyone.
        * Syntax errors in the "users" file now produce better
          error messages.

        Bug fixes
        * Fix issues parsing LDAP hostnames with non-standard ports.
        * Fix issues with realms containing regular expressions.
        * Allow unary negation before parantheses in rlm_expr.
        * Fix infinite loop in kevent event loop code. Issue only
          presented on FreeBSD.
        * Be more careful to define Auth-Types before loading modules.
        * Link libfreeradius-radius against OpenSSL too, to avoid
          multi-version symbols in SSL libraries.
        * When rlm_ldap rebinds a connection, it should use bind
          credentials from the module that created the connection
          pool, not credentials from the module referencing it.
        * Empty server config pairs should be allowed in rlm_ldap
          instances that reference another module's connection pool.
        * Mark rlm_always as huppable, so its rcode can be changed
          via radmin (allows policy toggles).
        * Emit warnings when ignoring user configured pool values.
        * Fix issue that would cause radclient to complain
          intermittently about differing numbers of filters and
          requests.
        * Fix cosmetic issues in connection pool logging, that made
          it appear as if the same connection was being opened
          multiple times.
        * Fix threadsafety issues in SQL drivers, where a static
          buffer was used to store error messages.
        * Log RERROR, RWARN, RINFO to the global log if request
          logging is not enabled.
        * Link to libldap instead of libldap_r. libldap_r
          is not supported for use by projects outside of OpenLDAP.
        * Set connection timeout correctly in rlm_sql_mysql.
        * Build with older versions of libcurl, and use CFLAGS from
          curl-config.
        * Honour Packet-Src-Port and Packet-Src-IP-address in radclient.
        * Initialise ldapai_info_version field, so libldap will report
          its vendor and version.
        * Fix log rotation scripts by using the copyrotate option.
        * Fix issue that caused opening control sockets to always
          fail on non-Linux systems, if a user or group was set.
        * Save Session-State after proxying.
        * Additional fixes for reading CoA/DM requests from detail
          files.
        * Create dynamic clients if the dynamic clients virtual server
          returns ok *or* updated. Emit useful messages for other codes.
        * Compile bare "authorize" statements, and issue errors saying
          using them isn't a good idea.

FreeRADIUS 3.0.6 Wed 17 Dec 2014 16:00:00 EDT urgency=medium
        Feature improvements
        * radmin / raddebug conditional errors are printed
          to the output, instead of being discarded.
        * raddebug will exit if condition set with -c was invalid.
        * radmin auto-reconnects if the connection to the server
          has gone away.
        * rlm_cache now has submodule support.  See
          raddb/mods-available/cache
        * New memcached driver for rlm_cache. See
          raddb/mods-available/cache
        * Add support for &Attribute-Name[*] in conditions.
          See "man unlang" for details.
        * Add &Attribute-Name[n] which gets the last instance
          of an attribute e.g. Module-Failure-Message[n].
        * Allow for redundant string expansions.  See the
          "instantiate" section of radiusd.conf.
        * When checking IP addresses in conditions, make the
          right side be parsed as an IP prefix.
        * Support JIT compilation of compiled regular expressions
          when built with libpcre.
        * Support named capture groups with "%{regex:<name>}"
          when built with libpcre.
        * Increase regular expression capture groups from 8 to 32.
        * Emit error markers for badly formed regular expressions.
        * Allow 'm' flag to enable multiline mode in regular
          expressions.
        * Support limited implicit attribute conversion in update
          sections.
        * Support casting between IPv6 and IPv4 where the IPv6
          address has the v4/v6 mapping prefix (::ffff:).

        Bug fixes
        * PEAP works again.  As does proxying EAP-MSCHAPv2
          from inside of a PEAP tunnel.
        * "group" is allowed inside of "instantiate" sections.
        * update disconnect {} with
          disconnect:Packet-Dst-IP-Address now works correctly.
        * Regular expression comparisons of non string attributes
          are now disallowed in the files module.  Previously
          they would silently fail or produce undefined behaviour.
        * Fix parsing of old regular expressions.  Closes #842
        * Fix off by one error in ascend filters.  Closes #843.
        * Handle NT-Hash in rlm_pap.  This allows passwords to
          have backslashes in them.
        * Fix infinite loop on "Fall-Through = yes" when
          processing SQL groups.
        * Correct the check of SQL query return code.
        * Run "Post-Auth-Type Reject" if the request was rejected
          in post-auth
        * Write "Login OK" only if the post-auth section passed.
        * Create TLS-Cert-* certificates, even when EAP session
          caching is disabled.
        * Finalize the "correct_escapes" with many more tests.
        * Move to the new OpenLDAP libldap API, fixes more issues
          with binary values.
        * Fix potential memory corruption in rlm_ldap if start
          connections were set to 0, and the server was running
          in threaded mode. The fix is a workaround for an issue
          in libldap and was suggested by Howard Chu.
        * Give parse errors on "%{...", without the closing brace.
        * Allow spaces in certificate passwords for build rules
          in raddb/certs//
        * Make all regular expression evaluation binary safe.
          Where that's not possible, emit an error if the pattern
          or subject contains an embedded null byte.
        * Fix various issues around masking IPv6 addresses.
        * Give descriptive error if unknown attributes are used
          in "update" sections.
        * Deal with cases where ldap_initialize isn't available
          gracefully, and use it exclusively when it's available.

FreeRADIUS 3.0.5 Fri 21 Nov 2014 15:30:00 EDT urgency=medium
        Feature improvements
        * Large update to Huawei dictionary.
        * Added dictionary.rfc7155
        * Regular expressions like /%{User-Name}/ are now parsed
          and validated when the server starts.
        * All configuration items which are dynamically expanded
          are now parsed and validated when the server starts.
        * %{expr:...} expressions can now do bit shifting and more.
          See raddb/mods-available/expr.
        * The detail file reader can now track packets which have
          had replies, so they are never re-transmitted.  See
          raddb/sites-available/buffered-sql, the "track" config item.
        * CoA and Disconnect packets can now be sent to a specific
          home server by setting control:Packet-Dst-IP-Address and
          (optionally) control:Packet-Dst-Port.
        * Allow CoA and Disconnect packets to be read from the
          detail file.
        * Allow LDAP to specify arbitrary attributes for dynamic
          clients.
        * Convert all unused attributes in the control: list to config
          pairs in dynamic clients. This allows arbitrary client
          attributes to be set for dynamic clients too.
        * rlm_couchbase now supports bulk loading of clients on startup
          in a similar way to rlm_ldap. Contributed by Aaron Hurt.
        * Allow one level of backslashes (finally).  See radiusd.conf,
          "correct_escapes" setting.
        * Rename dictionary.redback to dictionary.ericsson.ab
        * Add --disable-openssl-version-check option to configure.
          So vendors can disable the check.  Patch from
          Nikolai Kondrashov.
        * Do context-specific indenting in debug messages.  This makes
          the debug output easier to read.
        * Make configuration a separate RPM, just like for Debian.
        * better decoding of unknown VSAs
        * When supported by OpenSSL, allow TLS 1.1 and TLS 1.2
          in EAP methods.
        * Allow multiple new connections to be spawned simultaneously
          in the connection pool, to cope with spikes in traffic.
        * Document retry_delay in connection pools.
        * Allow checksimul in rlm_couchbase.
        * Use kqueue on systems which support it.  This allows for
          better scaling when using many sockets.

        Bug fixes
        * Parse list qualifiers in generic LDAP 'valuepair_attribute'
          attributes correctly.
        * Fix issue where prefix length would be ignored for dynamic
          or static clients if the address matched INADDR_ANY
          (0.0.0.0).
        * Allow null user object filter in rlm_ldap, it's valid to
          specify a complete object DN and use the base scope.
        * Don't SEGV if a received attribute value in a JSON structure
          is null, or a value can't be stringified.
        * Don't assert if the server returns a JSON content-type and
          the server hasn't been built with support for JSON.
          Closes #808.
        * Set CURLOPT_NOSIGNAL to prevent curl from handling signals
          and causing a longjmp error when the server was running with
          threads.
        * Allow tabs after attribute names in the "users" file.
          Closes #796.
        * Free unknown DICT_ATTRs.  Closes #795
        * Handle unknown attributes in the conditions and "update"
          sections.  e.g. Attr-1.2.3.4 = foo.
        * Use correct array size for MS-CHAP new password.
        * In rlm_rest, check for older versions of libraries at start
          time, rather than when a packet comes in.
        * Don't call detach on parse error in rlm_perl.  Closes #802.
        * Integer fixes for big-endian systems.  Closes #803.
        * Don't optimize %{Packet-Src-IP-Address}.  Closes #804.
        * dhcpclient loads dictionaries correclty.  Closes #805.
        * double quotes are no longer escaped in single-quoted
          strings.  e.g. 'foo "hello" bar'.
        * Fixes for proxying to virtual servers broke the detail file
          reader.  Now they both work.
        * Typos and fixes from Nikolai Kondrashov.
        * Fixes to OpenSSL version checks, for cross-platform issues.
        * cppcheck fixes from Herwin Weststrate.
        * Fix build for OSX Yosemite
        * Merge DHCP sub-options.  Closes #812.
        * Fix decoding of Starent attributes.
        * When a module asks for a connection, don't return idle
          connections.
        * LDAP connection timeouts will now retry, instead of failing.
        * Prevent race conditions between fork and wait for child.
          Patch from James Rouzier.
        * Fix triggers for connection pools.  Patches from
          Nikolai Kondrashov.
        * Fix SEGV when comparing non string type check items.
        * Build with newer versions of libmysqlclient.
        * make the %{escape:} and %{unescape:} xlat functions UTF8
          safe.
        * Don't escape UTF8 chars in SQL query strings.
        * Fix issue in cached LDAP group comparisons, which caused
          checks to sometimes fail.
        * Fix use after free issue in unlang switch evaluation.
        * Respect operators in rlm_cache when merging into the current
          request.
        * Update Cache-Entry-Hits each time rlm_cache is called.
        * Produce WARN messages if SQL queries are empty strings.
        * Fix invalid assertion when proxying CoA requests.
        * Allow empty strings in "case" statements.  Closes #836.
        * Normalize escaping for string expansions.  i.e. don't do
          double escaping in rare situations.
        * Normalize LDAP escaping.  LDAP servers have multiple ways
          to escape things, so the data has to be normalized before
          we can compare two LDAP DNs.
        * Don't go to high debug level if we're proxying inner EAP
          as EAP.  Closes #839.
        * Fix rlm_rest state handling.  Closes #835.

FreeRADIUS 3.0.4 Wed 10 Sep 2014 12:00:00 EDT urgency=medium
        Feature improvements
        * Home server "response_window" can now take fractions of a
          second.  See proxy.conf.
        * radmin now supports "show module status", as thee counterpart
          to "set module status"
        * Added dictionary ericsson.packet.ccore.networks, bluecoat,
          citrix, compatible, riverbed, ruckus, and RFC 7268.
        * Add %{tag:} expansion to get the tag value of an attribute.
        * Report 'application_name' in connections to PostgreSQL servers.
          FreeRADIUS connections will now appear as
          'FreeRADIUS <version> - <name>' in pg_stat_activity.
        * All config item fields are now type checked at compile time
          to prevent issues similar to #634 occuring again.
        * Modify pairparsevalue to deal with embedded NULLs better,
          and use the binary versions of attribute values in rlm_ldap.
        * "ipaddr" will now use v6 if no v4 address is present.  You should
          use "ipv4addr" or "ipv6addr" to force v4/v6 addresses.
        * The above applies to "listen", "home_server", and "client" sections.
        * "client" sections will allow "ipaddr = 192.192.0/24".  The old
          "netmask" is still accepted, but the new format is preferred.
        * Allow custom HTTP headers to be set for rlm_rest requests using
          control:REST-HTTP-Header (attributes consumed after use).
        * Extend format of %{rest:} expansion to allow HTTP method and POST
          data to be specified
          e.g. %{rest:POST http://example.org/api foo=bar&baz=boink}.
        * Add %{hmacsha1:&data &key} and %{hmacmd5:&data &key} expansions
          for signing data in requests.
        * rlm_cache now consumes its control attributes to make runtime
          configuration easier.
        * Add control:Cache-Read-Only which when set to 'yes' will make the
          cache module merge existing cache data, but not create new entries.
        * Add %{unescape:} and %{urlunquote:} expansions to reverse escaping
          and urlquoting.
        * Add support for aliases in rlm_ldap.
        * Add support for connection pool sharing to all modules that use
          the connection pool (pool = <instance>).
        * "tls" sections now have a "psk_query" configuration item, for dynamic
          queries to discover a key from a PSK identity.
        * Preliminary support for EAP channel bindings.
        * Foundational work for dynamic home servers.  They do not yet work,
          but this is now only a matter of updating the "realm" module in
          a future release.
        * Support &attr[*] syntax to copy all instances of an attribute when
          used with the += operator in an update section. May be qualified with
          a tag.
        * The logintime and expiration modules can now be listed in the
          post-auth section.  This makes some configurations simpler.
        * Allow comparison of integer attributes of different sizes,
          without requiring a cast.
        * rlm_sqlippool is now IPV6 capable.  Set "ipv6 = yes" to get
          Framed-IPv6-Prefix returned.  The SQL queries have NOT been updated.
          Please submit patches.
        * The debian build now checks for the OpenSSL package with the heartbleed
          fix, and if found, sets: allow_vulnerable_openssl = 'CVE-2014-0160'
        * allow bootstrap from multiple files in sqlite driver.

        Bug fixes
        * make case-insensitive regular expressions work again, and add tests
          for them.
        * A few more talloc parenting issues
        * Fix delayed proxy reply handling.  Closes #637
        * Fix OpenSSL initialization order when using
          RADIUS/TLS.  Fixes #646
        * Don't double-quote strings in debugging messages
        * Fix foreach / break.  Fixes #639
        * Chargeable-User-Identifier, ADSL-Agent-Circuit-Id and
          ADSL-Agent-Remote-Id should be "octets" types in the default
          dictionary.
        * Fix typo in mainconfig.  Fixes #634
        * More rlm_perl fixes.  Fixes #635
        * Free OpenSSL memory on clean exit.
        * Fix <attr>[0] !* ANY - Was removing all instances of <attr>
        * Fix case where multiple attributes were returned from RHS of
          mapping, as with rlm_ldap. Fixes #652
        * Fix corner case in cursor where using fr_cursor_next_by_da
          after calling fr_cursor_remove may of resulted in a read of
          uninitialised memory.
        * Don't SEGV if all connections to a database server go away.
          Fixes #651.
        * Fix issue where <attr> -= <value> was not removing tagged
          instances of <attr> equal to <value> (only untagged).
        * Fix issue where tag values were not being set on attributes
          created with unlang/ldap update blocks.
        * Create rlm_sqlcounter attributes as integer64 types instead
          of integer types, so large counter values can be specified.
        * Fix issue where specifying a dynamic client IP addresss using
          FreeRADIUS-Client-IPv6-Prefix or FreeRADIUS-Client-IP-Prefix
          may have caused a validation error.
        * Don't print two "&" for messages about attribute or list
          references in debug output.
        * Fix urlquote and escape to encode Unicode characters correctly.
        * Fix redundant-load-balance blocks to try other modules in
          the group if one fails.
        * Fix issue with rlm_pap password normalisation where
          'known good' password strings stored in octets type attributes,
          would be sometimes misnormalised as base64.
        * Don't stop processing DHCP options if we find a 0x00 padding
          option.
        * Fix issue where modifying the value of an attribute created
          from a template with a literal value, may have resulted in the
          template literal being freed.
        * Fix parenting issues in tls code which may have resulted in
          memory corruption and crashes.
        * Fix issue in radsniff where writing to PCAP files and using
          -R response filters, where the requests would still be written
          to the PCAP for non matching responses.
        * Define __APPLE_USE_RFC_2292 so that the server builds with IPv6
          support on OSX.
        * Fix LDAP group lookups for named rlm_ldap instances.
          Note that attribute references should be used when
          checking LDAP-Group attributes. e.g. if (&LDAP-Group == 'foo').
        * Delayed attribute references can now be used in unlang
          existence checks.  i.e. if (&Attribute-Name) { ... }
        * Fix issues in EAP-PWD.  CVE-2014-4731, CVE-2014-4732, and
          CVE-2014-4733.  There is no external authentication bypass.
        * Fix a number of uses of the talloc parent/child reference.
        * Release connection used for reading bulk clients in rlm_ldap.
        * rlm_rest is now fail-safe if it's used without any configuration
        * Pull in build fixes for FreeBSD from ports.
        * Fix error in sqlite postauth query
        * Evaluate argument to "switch" statements once, instead of for each
          "case" statement.
        * Define sig_t on systems without it.  Closes #765.
        * Fix boundary issue with rlm_rest.  Closes #768
        * Optimize "%{Attribute-Name}" in comparisons only if the dictionary
          types match.
        * Don't do chmod() in rad_mkdir() if the directory already exists.
          We might not have permission to change it.
        * Use getpwnam_r() and getgrnam_r() on systems which support it.
          Closes #775.
        * Clients loaded from SQL are now tied to the "listen" section
          of a virtual server, instead of being global.
        * Check for -lpcre.  The system might have pcre.h without -lpcre.
        * When proxying to a virtual server, use the proxy_reply instead
          of ignoring it.
        * Fixed typos in DHCP SQL IPPool.
        * Fix crash when passing multiple arguments to Perl xlat.

FreeRADIUS 3.0.3 Mon 12 May 2014 15:30:00 EDT urgency=medium
        Feature improvements
        * Everything now builds with no warnings from the C compiler,
          clang static analyzer, or cppcheck.
        * rlm_ldap now supports defining the LDAP attribute name via
          backticked expansion (i.e. shell command) in
          RADIUS <-> LDAP mappings.
        * rlm_ldap now supports older style generic attributes.
        * dynamic expansions (e.g. "%{expr:1 + 2}" are now parsed
          when the server starts.  Syntax errors in the strings
          are caught, and a descriptive error is printed.
        * Static regular expressions (e.g. /a*b/) are now parsed
          when the server starts.  Syntax errors in the strings
          are caught, and a descriptive error is printed.
        * dynamic expansions are cached after being parsed.  They are
          no longer re-parsed at run-time for every request.
        * regular expressions are now parsed and cached when the server
          starts.
        * Added the %{rest:} expansion to rlm_rest, which will send
          a GET request to the URL passed as the format string.
          Any body text will be written to the expansion buffer.
        * rlm_rest now available as a debian package.
        * When an 'if' condition statically evaluates to true/false,
          unlang does more static optimization.  For examples, see
          src/tests/keywords/if-skip
        * All modules are marked as safe for '-C', which lets the
          dynamic expansion checks work in more situations.
        * Added 'none' and 'custom' rlm_rest body types. 'custom'
          allows sending of arbitrary expanded text and content-type
          headers.
        * Added "config" section to Perl.  See mods-available/perl
        * Added '%v' which expands to the server version - Patch
          from Alan Buxey.
        * more mis-matched casts are caught in "if" conditions,
          and descriptive errors are printed.
        * Support basic response validation in radclient. This allows
          administrators to write local test cases for their
          site-specific configurations.
        * Removed radconf2xml and radmin "show client config" and
          "show home_server config".
        * Forbid running with vulnerable versions of OpenSSL.
          See "allow_vulnerable_openssl" in the "security"
          subsection of "radiusd.conf"
        * Catch underlying "heartbleed" problem, so that nothing bad
          happens even when using a vulnerable version of OpenSSL.
        * Add locking API for sql_null, linelog, and detail modules,
          which should improve performance and work around issues
          on platforms with bad file locking.
        * Allow DHCP NAKs to be delayed, via setting
          reply:FreeRADIUS-Response-Delay = 1
        * Allow tag and array references anywhere attributes
          are allowed in "unlang".
        * many enhancements to radsniff, including output
          to collectd, ipv6 support and packet loss statistics.
        * Many dictionary updates (ZTE, Brocade, Motorola).
        * rlm_yubikey now automatically splits passwords from OTP
          strings.
        * The detail file reader is now threaded by default.
          This should improve performance reading the files.

        Bug fixes
        * Fix xlat expression %{attribute[n]} so that it actually
          returns the n'th attribute instead of the first one.
        * Don't parse string on RHS of update {} when using unary
          operators (!*).  The RHS should always be ignored.
        * Check for more optional functions in json-c so we can
          Build with libjson0, which is the name of the json-c package
          on debian/ubuntu.
        * Fix issue in radmin where the main dictionaries would
          not be loaded which, depending on the configuration, may
          have caused validation errors.
        * Fix handling of "%{reply:3GPP-*}"
        * Fix rlm_perl garbage attributes
        * Fix oracle SQL queries, which amongst other things still
          used the old expansion format, which is no longer
          supported/parsed.
        * Truncate long format strings and error markers instead of
          omitting them.
        * Fix multiple attribute parsing in rlm_rest JSON.
        * Don't crash in rlm_rest if connect_uri is commented out
          in the configuration.
        * Don't double-escape strings to / from Perl.  You may need
          to double-check your Perl scripts if they use "\" characters.
          See mods-available/perl for documentation.
        * Don't re-run "authorize" if a home server fails to respond.
        * Don't append "0x" to hex output of octets types, for xlat
          expansions.  This is the same as v2, and makes it easier
          to concatenate multiple attributes of type "octets"
        * FreeBSD fixes for execinfo linking.
        * Make some of the module configurations more consistent.
        * Fix corner cases where STDOUT wouldn't be closed in
          daemon mode.
        * Re-enable "update coa" and originating CoA requests.
        * Prevent multiple threads writing to the sql query logs.
        * Fix zombie period calculation.  Closes #579
        * Properly parent VPs for talloc, when moving them in map2request.
        * Various fixes for talloc parent / child relationships
        * Allow rlm_counter to support VSAs.
        * Normalize return codes for many modules. "do nothing" is noop,
          not "ok".
        * Run Post-Proxy-Type Fail.  Closes #576
        * Fix DHCP destination port for replies to relays.  Closes #591
        * Do-Not-Respond policy works again  Closes #593
        * Proxy-To-Virtual-Server works again.  Closes #596
        * Build fixes for ancient systems.  Closes #607, #608, #609.
        * %{Module-Return-Code} works again.  Closes #610.
        * Don't increment statistics for Status-Server responses.
          Closes #612.
        * A duplicate request isn't a duplicate if the original one
          is marked "done".  This should lower retransmissions from
          clients.
        * Fix multiple regular expression and glob memory leaks.
        * Don't allocate any memory in fr_fault() as it can cause malloc
          to deadlock.
        * Temporarily set dumpable flag before calling system in fr_fault()
          else the debugger may not be able to attach.
        * Set nonblock on all TCP client sockets.
        * Fix minor buffer overrun in mschapv2 where some attribute strings
          were not correctly \0 terminated.
        * Fix crash on authentication failure with MIT kerberos.
        * Fix code so that octal escape sequences aren't prematurely unescaped
          in rlm_sql, radclient, preprocess, and other places. This may
          require configuration changes, as these sequences will no longer
          need double escaping (\\) of the backslash.
        * The connection pools no longer have one connection used twice
          in certain rare conditions.
        * Use self pipes for internal signals.  The code was there, but was
          unused.
        * Don't crash if there are outstanding EAP sessions and were told to
          exit gracefully.
        * Fix typo in dictionary.rfc4072

FreeRADIUS 3.0.2 Fri 21 Mar 2014 08:30:00 EDT urgency=medium
        Feature improvements
        * secret keys and LDAP / SQL passwords are now printed as
          '<<< secret >>>' in debugging mode.  Use -Xx to see the
          actual passwords.
        * Print out more information about passwords in -Xx,
          including hashes, comparisons, etc.
        * Allow cast (and implicit conversion) of integers to IPv4 addresses
        * More xlats allow attribute references.  This means they can
          operate on binary data.  e.g. expr, base64, md5, sha1.
        * Added more tests.
        * The dictionaries are now auto-loaded.  raddb/dictionary
          should no longer have $INCLUDE ${prefix}/share/dictionary
        * A "panic_action" can be set to have the server dump a gdb
          log on SEGV or other fatal error.  See radiusd.conf
        * Add support for SHA-224, SHA-256, SHA-384, SHA-512 to rlm_pap.
        * Add "%{sha256:}" and "%{sha512:}" xlat functions.
        * Cache CUI in EAP session resumption.
        * templates can now have sub-sections, which will be included
          in the section referencing the template.
        * Update more dictionaries.
        * Added more instances of the "always" module, for all return
          codes.
        * Suppress broken NASes when proxying.  Retransmits which occur
          more than once per second are rate-limited to once per second.
        * Allow '&' in more xlat expansions.
        * Update PostgreSQL schema and queries to record last updated
          time, and accounting interim.
        * Optimize more "if" conditions when the server loads.  This will
          avoid work at run time.  e.g. ("foo" == "bar") --> FALSE.
        * Allow removal of all attributes within a list with !* operator.
        * Allow list to list copies with request qualifiers (outer.).
        * Add support for ipv4 prefixes and ipv6 addresses and prefixes to
          %{integer:}.
        * allow radmin command "set module status <module> <code>"
          which can be used to forcibly enable/disable modules.
        * pap module now assumes Cleartext-Password if Password-With-Header
          doesn't have a {...} header.
        * Added "unpack" module.  It can unpack binary data from horrible
          VSA formats.  See raddb/mods-available/unpack
        * Added example IP Pool for DHCP, using sqlite.  From Matthew Newton
          See raddb/mods-config/sql/ippool-dhcp/

        Bug fixes
        * Fix SQL groups.
        * Fix operation of fr_strerror() with RE*() macros.
        * Don't assert if the connection we're trying to reconnect
          is not in_use.
        * Fix %{mschap:User-Name} xlat.
        * Allow comparisons of signed integers and of ethernet addresses.
        * Fix parsing of text-based ascend binary filters.
        * Fix a few minor Coverity and clang analyzer issues.
        * Log WARNING and ERROR prefixes only once, not twice.
        * Fix attribute truncation seen in Perl and other places.
        * Use correct port when DHCP relaying.
        * Fix behaviour on FreeBSD where sending packets from an interface
          bound to an IP address would fail when the server was built with
          udpfromto.
        * Don't abort() when freeing home servers on exit.
        * Fix edge case in pairmove() when some attributes could be over-
          written.
        * Do checks for individual sqlite v2 functions so rlm_sqlite builds
          correctly with more versions of the library.
        * In heimdal kerberos, create MEMORY ccaches on a per context basis.
          This prevents issues with the root ccache being used.
        * Fix corner case with proxying, where home server goes down.
        * Rate-limit "max_requests" complaint.  We don't want to fill the
          logs when something goes wrong.
        * Use /dev/urandom for raddb/certs/random, if it exists.
        * Issue WARNING that old-style clients should no longer be used.
        * Auto-set secret to "radsec" for tcp+tls home servers.
        * Fix double free in home_server_add when there is a parse error
          on startup.
        * rlm_unix checks if the dictionaries are broken, instead of crashing
        * Fix potential memory corruption when normalising salted password
          hashes from hex, where the combined hash and salt was > 64 bytes.
        * Register sqlcounter attributes correctly, and other issues with it
        * treat 127.0.0.1/32 as being identical to 127.0.0.1
        * Don't mangle error output of SQL drivers like PostgreSQL
        * Fix usage of "tls = ${tls}".  It could previously cause problems
          when the reference was used multiple times.
        * Fix TLS session leak for incoming sockets.
        * Try harder to clean up memory on exit when using "-mM"
        * Fix memory leak when home server is down for RadSec connections
        * rate-limit outgoing connection attempts when the home server
          is down.  It will retry no more than once per second.
        * When parsing ipv6 address prefixes, always mask off the host
          portion.
        * Fix rlm_counter so that it does not create two reply
          attributes.
        * Fix issues with DHCP Sub-TLVs where the value of the first
          Sub-TLV would appear corrupted, and subsequent TLVs would
          not appear in debug output.
        * Initialize scope in IP address parsing
        * Prevent vendor attributes and RFC space attributes from clashing
          in rlm_attr_filter.
        * Set source IP address for DHCP packets from DHCP-Server-IP-Address,
          or DHCP-DHCP-Server-Identifier, if we're unable to otherwise
          determine the source IP.
        * Fix POST attribute parsing in rlm_rest.
        * Fix JSON attribute parsing in rlm_rest.
        * Don't append trailing & to POST options in rlm_rest (minor).
        * Process HTTP 100 Continue messages correctly in rlm_rest
        * Fix generation of long > 512 byte POST payloads, where attribute
          values on the chunk boundary may have been omitted in rlm_rest.
        * Remove duplicate escape sequence parsing in rlm_sqlippool and
          rlm_sqlcounter which caused issues with escaping %. Escape
          sequence parsing is now handled purely by the xlat functions.
        * Ensure %% is treated as a string literal, and so not passed to any
          xlat escape functions for processing.
        * Correct calculation of Message-Authenticator
          for CoA packets.  Closes #556

FreeRADIUS 3.0.1 Mon 13 Jan 2014 14:30:00 EDT urgency=medium
        Feature improvements
        * Add "timeout" to exec, and "ntlm_auth_timeout" to mschap.
          So that run-away child processes are caught earlier.
        * Allow TLS clients to use "proto = tls", in which case
          TLS is required.  The shared secret is then set to "radsec".
        * More documentation in the tls virtual server.
        * Add "date" module for date formatting.
          See raddb/mods-available/date.
        * Added unit test suite for internal server functionality
        * When loading "update" sections, check if the RHS is a literal
          value.  If so, syntax check it immediately.
        * Update LDAP module documentation and functionality.
          The generic attribute can now update lists.
        * Updated dictionary.extreme.
        * Update sqlippool to do clears as a separate transaction,
          and at most once per second.  This should help MySQL.
        * Respect control:Response-Packet-Type for all types of
          requests.
        * Add support for SSL encryption to the MySQL driver.
        * Allow arbitrary connection parameters to be used with the
          PostgreSQL driver.
        * Changes to the OpenLDAP schema to fully expose functionality
          of the new LDAP module.
        * Update debian packaging to include a freeradius-config
          package. This package may be provided as a site local
          package to avoid fighting with the preinstalled config
          files.

        Bug fixes
        * Use correct field for ARP setting in DHCP.
        * Fix crash on debug condition (#454).
        * Fix a number of minor issues caught by the clang
          analyzer.
        * Set WARNING messages to yellow instead of normal text.
        * Correct debug colorise logic.  Patch from Phil Mayers.
        * Encode attributes of type "ethernet".  No one uses them,
          but it makes sense.
        * Work around regex initialization issues.
        * Fix build when linking against OpenSSL.
        * Print IDs as positive numbers, which helps for large DHCP
          XIDs.
        * Fix issue with sql_ippool.
        * sqlcounter now uses 64-bit counters, to deal with 4G overflow.
        * Fix issues with DHCP subsystem.
        * Don't build / install disabled modules, or their config
          files.
        * Fix build for OSX Mavericks, which hid the header files
          in a magical place.
        * Fix LEAP buffer issue.  You should still avoid LEAP.
        * Mark "unknown" WiMAX attributes as being WiMAX.
        * Fix typo in packet decoder for fragmented extended attrs
        * RPM spec fixes.
        * Fix rlm_perl build issues when not using threads.
        * Enable %{Response-Packet-Type} again.
        * Update configuration file parser to handle "bool"
          consistently.
        * Update declarations of global boolean variables to use
          "bool" consistently. This fixes an issue where some
          modules were instantiated in "config check" mode and
          did not work correctly.
        * Make more messages debug instead of info, to avoid
          polluting the logs with messages that can't be fixed.
        * Set operator in internal unlang code to suppress spurious
          warning messages.
        * Fix debian packaging.
        * Added "status" to Debian init script.
        * Fix "update outer.request" to update the outer request.
        * Don't print TLS debugging messages when not in debug mode.
        * Correctly manage counters for "limit" sections of TCP / TLS
          "listen" sockets.
        * Fix libldap debug output.
        * Fix rlm_ldap tls functionality.
        * Initialise OpenSSL globals early to avoid issues with the
          PostgreSQL library.
        * Fix typo in sqlcounter expansion code.  Fixes #463
        * Overwrite previous instances of SQL-User-Name when adding
          it to the request.
        * Work around bugs in both MIT and heimdal versions of
          krb5_copy_context(), which caused segfaults in
          multithreaded mode.
        * Provide meaningful error messages if Heimdal krb5 is used.
        * Fix attribute supression in rlm_detail.
        * Exit with error code if child fails to complete server
          initialisation after forking.  This allows init scripts to
          correctly report whether the server started ok.

FreeRADIUS 3.0.0 Mon  7 Oct 2013 15:48:14 EDT urgency=medium
        Feature improvements
        * Documentation for upgrading from 2.x is in raddb/README.rst
          Please follow it.  It will make the upgrade easier.
        * Moved configuration entries in radiusd.conf to make more sense.
        * Added the "integer64" and "ipv4prefix" data types.
        * Added RADIUS over TLS (i.e. RadSec). See raddb/sites-available/tls
        * Updated internal API to support new attributes and formats
        * Added code to send SNMP Traps.  See raddb/trigger.conf.
        * Added preliminary support for Apple's Grand Central Dispatch
        * Added provisions for raddb/dictionary.local, for local changes.
          See raddb/dictionary for more details.
        * Added packet/s tracking. See max_pps in the "listen" section.
        * The %{} expansions and "unlang" conditions are now parsed at server
          start. Descriptive errors are produced for syntax and format errors.
        * Casting is now supported for "unlang" comparisons.  See "man unlang"
          e.g. <ipaddr>127.0.0.1 == Framed-IP-Address.
        * Direct comparison of attribute references is now supported.
          e.g. &Foo == &Bar.  This avoids stringification of the attributes.
        * Direct assignment of attributes is now supported.
          e.g. Foo := &Bar.  It also works for "octets" data types.
        * Comparisons of IPv4 and IPv6 prefixes are now supported.
          The "<" operator means "within the prefix" for comparisons.
        * New sha1 xlat expansion (thanks to Alan Buxey)
        * Colourised log messages when logging to stdout.  Look for yellow
          warnings and red errors.  Doing this will save you a LOT of grief.
        * If the PCRE library is available, use it (insted of the POSIX
          functions) to process regular expressions (thanks to Phil Mayers).
        * -xv now displays all the features the server was built with, and
          the versions of the core libraries (libtalloc, libssl).

        Module Changes
        * Moved raddb/modules/ to raddb/mods-available/, and raddb/mods-enabled/,
          following the examples of other projects.
        * Additional files for each module are now in raddb/mods-config/.
          See raddb/mods-config/README.rst for documentation.
        * Moved "users" to raddb/mods-config/files/authorize
        * Moved "hints" and "huntgroups" to raddb/mods-config/preprocess/
        * Moved eap.conf to mods-available/eap
        * Moved sql.conf to mods-available/sql
        * Moved TLS configuration for EAP into a common subsection.
          See raddb/mods-available/eap, "tls-config" section.
        * Added for MS-CHAP Change Password from Phil Mayers.
          See raddb/mods-available/mschap, "passchange" subsection.
        * Added EAP-PWD implementation from Dan Harkins
        * Added connection pools for modules. This unifies connection
          management which was previously different for different modules.
        * SQL now uses the connection pool.  See mods-available/sql
        * SQL now supports arbitrary Acct-Status-Types.
          These changes are not compatible with 2.x.
        * SQL now has full support for SQLite.  See raddb/sql/main/sqlite/
        * SQLite supports auto-creation of new databases on server startup for
          bootstrapping purposes.
        * LDAP now uses the connection pool.  The LDAP module has been
          completely re-written for performance and simplicity.
        * LDAP now caches groups.  This makes multiple group checks MUCH
          faster.
        * Removed all limitations on 253 octet attributes.  RFC 6929 allows
          for attributes up to 4K in length.
        * New rlm_idn module providing an expansion for performing IDNA encoding
        of internationalized domain names.  Thanks to 'skids'.
        * New rlm_yubikey module to validate yubikey OTP tokens.
          See raddb/modules/yubikey

        Bug fixes
        * All known bug fixes from 2.2.x are included.
        * Removed "addport" functionality.
        * Removed many unused or duplicate modules.  See raddb/README.rst.

        Internal / API changes:
        * All traces of the old build system have been removed.
          The new build system is faster and simpler.
        * clang is fully supported.
        * We now use "talloc" for memory management.  A number of new
          features required this change.  Thanks to the Samba people!
        * Many internal APIs have been updated to use talloc.
        * New API for iterating over VALUE_PAIRs.  This is in preparation
          for attributes, in version 3.1.
        * No new code should directly modify any field of a VALUE_PAIR.
        * VALUE_PAIRs contain pointers to DICT_ATTR instead of containing
          attribute and vendor fields.  This will allow nested attributes.
        * Some protocol specific code has been moved out into proto_* modules.
          More will come in subsequent versions.  See proto_dhcp and proto_vmps.
        * Standardised internal logging macros.  radlog() should not be used.
          See src/include/log.h
        * Use OpenSSL hashing functions when available.
        * The server now builds with no warnings on most platforms.
        * New RADIUS encoder/decoder, to support new formats.
        * Added RFC 6929 "extended attributes", via the new encoder/decoder.
        * Added full WiMAX support, via the new encoder/decoder.  The old
          code could not handle some unusual corner cases.