FreeRADIUS 3.0.2 Mon 13 Jan 2014 14:30:00 EDT urgency=medium Feature improvements * Allow cast (and implicit conversion) of integers to IPv4 addresses * More xlats allow attribute references. This means they can operate on binary data. e.g. expr, base64, md5, sha1. * Added more tests. * The dictionaries are now auto-loaded. raddb/dictionary should no longer have $INCLUDE ${prefix}/share/dictionary * A "panic_action" can be set to have the server dump a gdb log on SEGV or other fatal error. * Add support for SHA-224, SHA-256, SHA-384, SHA-512 to rlm_pap. * Add "%{sha256:}" and "%{sha512:}" xlat functions. * Cache CUI in EAP session resumption. * templates can now have sub-sections, which will be included in the section referencing the template. * Update more dictionaries. * Added more instances of the "always" module, for all return codes. * Suppress broken NASes when proxying. Retransmits which occur more than once per second are limited to only once per second. * Allow '&' in more xlat expansions. * Update PostgreSQL schema and queries to record last updated time, and accounting interim. Bug fixes * Fix SQL groups. * Fix operation of fr_strerror() with RE*() macros. * Don't assert if the connection we're trying to reconnect is not in_use. * Fix %{mschap:User-Name} xlat. * Allow comparisons of signed integers and of ethernet addresses. * Fix parsing of text based ascend binary filters. * Fix a few minor Coverity and clang analyzer issues. * Log WARNING and ERROR prefixes only once, not twice. * Fix attribute truncation seen in Perl and other places. * Use correct port when DHCP relaying. * Fix behaviour on FreeBSD where sending packets from an interface bound to an IP address would fail when the server was built with udpfromto. * Don't abort() when freeing home servers on exit. * Fix edge case in pairmove() when some attributes could be over- written. * Do checks for individual sqlite v2 functions so rlm_sqlite builds correctly with more versions of the library. * In heimdal kerberos, create MEMORY ccaches on a per context basis. This prevents issues with the root ccache being used. * Fix corner case with proxying, where home server goes down. * Rate-limit "max_requests" complaint. We don't want to fill the logs when something goes wrong. * Use /dev/urandom for raddb/certs/random, if it exists. * Issue WARNING that old-style clients should no longer be used. * Auto-set secret to "radsec" for tcp+tls home servers. * Fix double free in home_server_add, when there is a parse error on startup. * rlm_unix checks if the dictionaries are broken. * Fix issues in decoding POST responses in rlm_rest. * Fix potential memory corruption when normalising salted password hashes from hex, where the combined hash and salt was > 64 bytes. * Register rlm_sqlcounter attributes correctly. FreeRADIUS 3.0.1 Mon 13 Jan 2014 14:30:00 EDT urgency=medium Feature improvements * Add "timeout" to exec, and "ntlm_auth_timeout" to mschap. So that run-away child processes are caught earlier. * Allow TLS clients to use "proto = tls", in which case TLS is required. The shared secret is then set to "radsec". * More documentation in the tls virtual server. * Add "date" module for date formatting. See raddb/mods-available/date. * Added unit test suite for internal server functionality * When loading "update" sections, check if the RHS is a literal value. If so, syntax check it immediately. * Update LDAP module documentation and functionality. The generic attribute can now update lists. * Updated dictionary.extreme. * Update sqlippool to do clears as a separate transaction, and at most once per second. This should help MySQL. * Respect control:Response-Packet-Type for all types of requests. * Add support for SSL encryption to the MySQL driver. * Allow arbitrary connection parameters to be used with the PostgreSQL driver. * Changes to the OpenLDAP schema to fully expose functionality of the new LDAP module. * Update debian packaging to include a freeradius-config package. This package may be provided as a site local package to avoid fighting with the preinstalled config files. Bug fixes * Use correct field for ARP setting in DHCP. * Fix crash on debug condition (#454). * Fix a number of minor issues caught by the clang analyzer. * Set WARNING messages to yellow instead of normal text. * Correct debug colorise logic. Patch from Phil Mayers. * Encode attributes of type "ethernet". No one uses them, but it makes sense. * Work around regex initialization issues. * Fix build when linking against OpenSSL. * Print IDs as positive numbers, which helps for large DHCP XIDs. * Fix issue with sql_ippool. * sqlcounter now uses 64-bit counters, to deal with 4G overflow. * Fix issues with DHCP subsystem. * Don't build / install disabled modules, or their config files. * Fix build for OSX Mavericks, which hid the header files in a magical place. * Fix LEAP buffer issue. You should still avoid LEAP. * Mark "unknown" WiMAX attributes as being WiMAX. * Fix typo in packet decoder for fragmented extended attrs * RPM spec fixes. * Fix rlm_perl build issues when not using threads. * Enable %{Response-Packet-Type} again. * Update configuration file parser to handle "bool" consistently. * Update declarations of global boolean variables to use "bool" consistently. This fixes an issue where some modules were instantiated in "config check" mode and did not work correctly. * Make more messages debug instead of info, to avoid polluting the logs with messages that can't be fixed. * Set operator in internal unlang code to suppress spurious warning messages. * Fix debian packaging. * Added "status" to Debian init script. * Fix "update outer.request" to update the outer request. * Don't print TLS debugging messages when not in debug mode. * Correctly manage counters for "limit" sections of TCP / TLS "listen" sockets. * Fix libldap debug output. * Fix rlm_ldap tls functionality. * Initialise OpenSSL globals early to avoid issues with the PostgreSQL library. * Fix typo in sqlcounter expansion code. Fixes #463 * Overwrite previous instances of SQL-User-Name when adding it to the request. * Work around bugs in both MIT and heimdal versions of krb5_copy_context(), which caused segfaults in multithreaded mode. * Provide meaningful error messages if Heimdal krb5 is used. * Fix attribute supression in rlm_detail. * Exit with error code if child fails to complete server initialisation after forking. This allows init scripts to correctly report whether the server started ok. FreeRADIUS 3.0.0 Mon 7 Oct 2013 15:48:14 EDT urgency=medium Feature improvements * Documentation for upgrading from 2.x is in raddb/README.rst Please follow it. It will make the upgrade easier. * Moved configuration entries in radiusd.conf to make more sense. * Added the "integer64" and "ipv4prefix" data types. * Added RADIUS over TLS (i.e. RadSec). See raddb/sites-available/tls * Updated internal API to support new attributes and formats * Added code to send SNMP Traps. See raddb/trigger.conf. * Added preliminary support for Apple's Grand Central Dispatch * Added provisions for raddb/dictionary.local, for local changes. See raddb/dictionary for more details. * Added packet/s tracking. See max_pps in the "listen" section. * The %{} expansions and "unlang" conditions are now parsed at server start. Descriptive errors are produced for syntax and format errors. * Casting is now supported for "unlang" comparisons. See "man unlang" e.g. 127.0.0.1 == Framed-IP-Address. * Direct comparison of attribute references is now supported. e.g. &Foo == &Bar. This avoids stringification of the attributes. * Direct assignment of attributes is now supported. e.g. Foo := &Bar. It also works for "octets" data types. * Comparisons of IPv4 and IPv6 prefixes are now supported. The "<" operator means "within the prefix" for comparisons. * New sha1 xlat expansion (thanks to Alan Buxey) * Colourised log messages when logging to stdout. Look for yellow warnings and red errors. Doing this will save you a LOT of grief. * If the PCRE library is available, use it (insted of the POSIX functions) to process regular expressions (thanks to Phil Mayers). * -xv now displays all the features the server was built with, and the versions of the core libraries (libtalloc, libssl). Module Changes * Moved raddb/modules/ to raddb/mods-available/, and raddb/mods-enabled/, following the examples of other projects. * Additional files for each module are now in raddb/mods-config/. See raddb/mods-config/README.rst for documentation. * Moved "users" to raddb/mods-config/files/authorize * Moved "hints" and "huntgroups" to raddb/mods-config/preprocess/ * Moved eap.conf to mods-available/eap * Moved sql.conf to mods-available/sql * Moved TLS configuration for EAP into a common subsection. See raddb/mods-available/eap, "tls-config" section. * Added for MS-CHAP Change Password from Phil Mayers. See raddb/mods-available/mschap, "passchange" subsection. * Added EAP-PWD implementation from Dan Harkins * Added connection pools for modules. This unifies connection management which was previously different for different modules. * SQL now uses the connection pool. See mods-available/sql * SQL now supports arbitrary Acct-Status-Types. These changes are not compatible with 2.x. * SQL now has full support for SQLite. See raddb/sql/main/sqlite/ * SQLite supports auto-creation of new databases on server startup for bootstrapping purposes. * LDAP now uses the connection pool. The LDAP module has been completely re-written for performance and simplicity. * LDAP now caches groups. This makes multiple group checks MUCH faster. * Removed all limitations on 253 octet attributes. RFC 6929 allows for attributes up to 4K in length. * New rlm_idn module providing an expansion for performing IDNA encoding of internationalized domain names. Thanks to 'skids'. * New rlm_yubikey module to validate yubikey OTP tokens. See raddb/modules/yubikey Bug fixes * All known bug fixes from 2.2.x are included. * Removed "addport" functionality. * Removed many unused or duplicate modules. See raddb/README.rst. Internal / API changes: * All traces of the old build system have been removed. The new build system is faster and simpler. * clang is fully supported. * We now use "talloc" for memory management. A number of new features required this change. Thanks to the Samba people! * Many internal APIs have been updated to use talloc. * New API for iterating over VALUE_PAIRs. This is in preparation for attributes, in version 3.1. * No new code should directly modify any field of a VALUE_PAIR. * VALUE_PAIRs contain pointers to DICT_ATTR instead of containing attribute and vendor fields. This will allow nested attributes. * Some protocol specific code has been moved out into proto_* modules. More will come in subsequent versions. See proto_dhcp and proto_vmps. * Standardised internal logging macros. radlog() should not be used. See src/include/log.h * Use OpenSSL hashing functions when available. * The server now builds with no warnings on most platforms. * New RADIUS encoder/decoder, to support new formats. * Added RFC 6929 "extended attributes", via the new encoder/decoder. * Added full WiMAX support, via the new encoder/decoder. The old code could not handle some unusual corner cases.