FreeRADIUS 3.0.14 Mon 06 Mar 2017 13:00:00 EDT urgency=medium Feature improvements * Enforce TLS client certificate expiration on session resumption, and Session-Timeout. * Updated dictionary.cisco.vpn3000, dictionary.patton * Added dictionary.dellemc * Lowered the log output for failed PEAP sessions. * ALlow utc in rlm_date. Patch from Peter Lambrechtsen. * The internal OpenSSL session cache has been disabled. Please see mods-available/eap * Update detail reader documentation. Patch from Matthew Newton. Fixes #1973. * Make outgoing RadSec connections non-blocking. * Add SQL backing to Moonshot-*-TargetedId generation. Patch from Stefan Paetow. Bug fixes * radtest uses Cleartext-Password for EAP, not User-Password. * Update documentation for mods-enabled/ linking. * Enhanced checks for moonshot salt. Fixes #1933. * Allow session resumption for RadSec connections. Fixes #1936. * Update "huntgroups" file to note that port ranges are not supported. * Fix OpenSSL permissions issues on default key files. Fixes #1941. * Certificates are not required when PSK is used. * Allow SubjectAltName as first extension in cert. Fixes #1946. * Fixed talloc issue with TLS session resumption. Fixes #1980. * "&Attr-26 := 0x01" now produces useful error messages. * Handle connection error in rlm_ldap_cacheable_groupobj. Fixes #1951. * Fix endian issues in DHCP. * Multiple minor fixes for Coverity complaints. * Handle unexpected regex. Fixes #1959. * Fix minor issues in dictionaries. * Fix typos and grammar. Patches from Alan Buxey. * Fix erroneous VP creation in rlm_preproces. * Fix MIB. Patch from Jeff Gehlbach. * Trust router updates from Alejandro Perez. * Allow build with LibreSSL. Fixes #1989 * Use correct packet for channel bindings. Fixes #1990. * Many fixes found by PVS-Studio. Thanks to PVS-Studio for giving us a test license. Please see the git commit history for more information. FreeRADIUS 3.0.13 Mon 06 Mar 2017 13:00:00 EDT urgency=medium Feature improvements * Add dictionary.rfc7930. Note that we do not implement the RFC. * Added 'cipher_server_preference' to mods-available/eap Patch from #1797. * OpenSSL 1.1.0 compatibility fixes. * rlm_perl: radiusd::xlat to evaluate xlat string within perl script * Allow authentication retry in winbind. Patch from Herwin Weststrate. See raddb/mods-available/mschap. * Added "recv-coa" method to rlm_rest. It behaves the same as "authorize". * Document Trust Router tr_port option. Patch from Stefan Paetow. * Update elasticsearch/logstash examples so that they work with elastic stack v5. Patch from Matthew Newton. * Print information about packets, replies, and contents in the detail file reader. * Update abfab-tr policy. Pull request #1893 from Stefan Paetow. * Reject packets which contain User-Password and EAP-Message. * Add example for filtering Access-Challenge. See sites-enabled/default. * Pull symlink fixes from v4.0.x. Fixes #1859. * Add systemd reload. Not everything is reloaded, but some is. Fixes #1662. * Better documentation for listen "ipaddr". Fixes #1921 * Add dictionary.cnergee, updated dictionary.nomadix. * radclient no longer needs -x to print statistics with -s. Bug fixes * Minor typos. Fixes #1763 * Fix typo in RPM build. Closes #1767. * rlm_mschap check for password expiry only if password was correct. Fixes #1762. * Update debian build. * update rlm_counter "man" page. Fixes #1775. * Remove erroneous assert. Fixes #1778. * fix mschap password change test. Fixes #1792. * Cleanup config file on data remove. Fixes #1795. * passwd module returns "notfound" if not found. * Check for old OpenSSL, and don't build rlm_eap_fast if it necessary. Fixes #1803 * Cleanup memory better after ldap version query. Patch from Aleksey Katargin. * Rename lt_* functions to avoid linker issues with libtool. Fixes #1277 * Many miscellaneous fixes and typos. * Allow long strings in %{%{foo} bar:-%{baz} blah". Fixes #1866 * Fix filtering operators, along with more documentation and more tests for them. * Fix OpenSSL fixes. Fixes #1876. * Finish SQL select queries even when SELECT returns no rows. Fixes #1879. * Set Module-Failure-Message for more EAP errors. * Correct typo in dictionary.rfc5580. Fixes #1882 * Remove obselete systemd syslog.target. * Client-Port-Balance load-balancing now uses client port. * Radrelay examples fixed from Alex Clouter. * Update systemd target. Pull request #1896. * Trim starting whitespace in xlat strings. * Get MySQL result lengths using normal API. * suid down after fchown(). Fixes #1914. * Fix cases of comparing pointer to NUL character. Fixes #1915. * OpenSSL v1.1 fixes. Pull request #1921. * Better Handle v4/v6 host names. Pull request #1919. * Remove "Auth-Type = System" from docs and examples. * Don't crash on malformed %{home_server}. Fixes #1922 * fix erroneous use of talloc destructor in rlm_eap * Issue trigger modules.sql.fail. Fixes #1923 * Document python_path gotcha's. Fixes #1845 * dlopen() the specific version of Python. Fixes #1592 FreeRADIUS 3.0.12 Thur 29 Sep 2016 13:00:00 EDT urgency=medium Feature improvements * Add support for =~ and !~ in update sections. See "man unlang" * Add dictionary.checkpoint. * Simultaneous-Use prints out more information. * Print WARNING in debug mode when packets may be truncated. * Added expansions %{home_server:state} and %{home_server_pool:state}, which show the state of the server / pool. * Mark rlm_sql_freetds as stable. * Make rlm_perl less fragile. Patch from Herwin Weststrate. * Allow extended attributes to have "encrypt=2" * Update dictionary.aruba. * Add support for EAP-FAST. This is an isolated feature which does not affect anything else. * Update OpenSSL vulnerability list. Use a version of OpenSSL released after September 20, 2016. * EAP certificate verification is now done when "verify" is enabled and "ocsp" is disabled. * New dhcpclient and rlm_rad_counter man pages. * Minor abfab and moonshot additions. * Pass CFLAGS through from environment in RPM builds. Allows more custom builds. * Build with Heimdal in addition to libkrb5. Bug fixes * Use correct typedef for older versions of sqlite. * Update mssql schema to add priority * Don't complain on /dev/urandom in ldap * Fix == operator in update sections * Don't create DHCP strings with many trailing zeros. Patch from Nicolas C. Fixes #1526. * Allow MS-CHAP change passwords instead of complaining on large buffer. * Allow assignment or equality operator on SQL. * Update aclocal tests for FreeBSD 10. Patches from Mathieu Simon. * Remove occasional hang in rlm_linelog. * Copy VSAs to inner tunnel for TTLS and PEAP. Fixes #1544 * A few minor bugfixes caught in v3.1.x cleanup, and back-ported to v3.0.x. * do_not_respond again works in post-proxy * Allow realm "~^.*$" {} and User-Name with no realm. * Fix leak when creating unknown attributes * Fix Debian / logrotate. * Make OpenSSL error functions thread-safe. * Fix crash with rlm_sql and updating SQL-User-Name. * Debian build updates. * Allow regular expression comparisons in radclient fixes #1574. * Fix memory leak on unknown attributes in detail file reader. * Update example paths in "man" pages when installing them * Build fixes for rlm_mschap. Fixes #1489. * BSD build fixes. Patch from issue #1583. * Be more careful about /lib/ when building. Fixes #1585. * Correct ifdef placement error. Fixes #1572. * Allow for more files in internal "exfile" API So it will be possible to open more than 64 "detail" files at the same time. * Remove support for statically built EAP modules. Fixes #1591. * Many fixes to rlm_python from Guillaume Pannatier. * Use correct week adjustment in SQLcounter. Fixes #1608 * Minor fixes to allow compilation without DHCP, VMPS, or TCP. * Fix checks for module / config file change on HUP. * Compile regex comparisons when sent via "debug condition". Fixes #1632. * Update filenames in documentation and examples. Patch from Alan Buxey, #1655. * Don't crash if SQL connection becomes unavailable. Fixes #1640. * Disallow originate_coa when proxy_requests = no Fixes #1684. * Free rad_perlconf_hv in correct perl context. Fixes #1675. * Multiple fixes for Debian builds. #1510, among others. * Set OpenSSL FIPS compatibility flag when necessary. * Pulled fixes for the build system over from other branches. * Fix OCSP for RADIUS over TLS. * Fix skip_if_ocsp_ok behavior. * Better fixes for systems without closefrom() but which have /proc. Fixes #1757. * Minor build fixes back-ported from v4.0.x. * build --whout-ascend-binary. Fixes #1761. * Be more aggressive about not opening new connections in debug mode after CTRL-C. Address #1604. FreeRADIUS 3.0.11 Mon 25 Jan 2016 14:00:00 EST urgency=medium Feature improvements * "unlang" comparisons of IP addresses to IP prefixes are now detected, and types automatically cast. * Allow shorthand form of ipv4prefix values e.g. 127/8. * Add "auto_chain" to raddb/mods-available/eap, tls subsection. This allows the disabling of OpenSSL auto-chaining of certificates. Which might be wrong. * Added printing of coa and disconnect stats (radmin). * radclient defaults to expecting Access-Accept responses to Status-Server. * Updated dictionary.lancom, dictionary.starent. * Portability fixes for Solaris. * More errors from ntlm_auth gets passed to MS-CHAP. * Update abfab-tr-idp virtual server. * Added "filter_password" in policy.d/filter. This removes embedded zero bytes in User-Password, for compatibility with broken clients. * The server now issues a WARNING message if duplicate configuration items are found. * TLS can skip the "verify" section if OCSP returns OK. See raddb/mods-available/eap, "skip_if_ocsp_ok". * Set TLS-OCSP-Cert-Valid = yes / no / skipped, which is the result from the OCSP check. * Interoperate with AD and "LmCompatibiltyLevel = 5", by always setting WBC_MSV1_0_ALLOW_MSVCHAPV2 for native winbind in rlm_mschap. * TTLS and PEAP now require "virtual_server" to be a real server. * Print WARNING when TTLS or PEAP identities are spoofed or not properly anonymized. See RFC 7542 for requirements. * Various rlm_python fixes from Herwin Weststrate. * Allow setting Response-Packet-Type in "Post-Proxy-Type Fail", which is useful when the home server does not respond. * elasticsearch updates from Matthew Newton Bug fixes * Fix issue where field nas_type would not be accessible via the %{client:} xlat, for clients loaded from SQL. * Fix compatiblity issues with OpenSSL 1.0.2. Ignore calls to msg_callback with 'pseudo' content types. * Data type "ipv4prefix" is parsed correctly. * Use correct talloc context in rlm_exec. Fixes #1338. * Complain in unlang if "else" is used with no previous "if" or "elsif". * Send accounting status packets to the accounting port. Fixes #1364. * Print out CFLAGS when doing "radiusd -Xxv" * Fixed bug with coa/acct stats value #1339. Based on patch from Jorge Pereira. * Fixes for LEAP proxying. Don't use LEAP! * Fix issue with "directory already exists" seen when doing "make install". * Fixed bug with radmin related to the option "stats detail " * Complain if the detail file reader does not have permission to read the "detail.work" file. Fixes #1398 * Fixed SoH. Attributes were not being copied to the virtual server. * Used a wrong list to global statistics in "stats". * Create EAP-PWD identity correctly. Prevents segfaults. * Dynamically validate authentication types for PEAP and EAP-MSCHAPv2. * Fix includes in installed headers. * OpenSSL 1.0.1f and 1.0.1g do NOT calculate TLS 1.2 keys correctly. See raddb/mods-available/eap, "disable_tlsv1_2" * Allow password change to work for MS-CHAP. This requires 'r=0', because password changes are not retries. * Fix home server fail-over for home servers using TCP and/or RadSec. * Special characters in expanded regexes are now escaped e.g. User-Name containing '.', and comparing /%{User-Name}/, the '.' will now be escaped. See src/tests/keywords/regex-escape. * Use correct authentication vector when sending Access-Reject replies for RadSec. * Set FreeRADIUS-Proxied-To in TTLS again. You should use the "inner-tunnel" virtual server, instead of relying on this attribute. * Fix debugging constants in rlm_perl. Patch from Herwin Weststrate. * Add samba-dev / samba4-dev to debian builds so that rlm_mschap can automatically use the new winbind API. * Automatically skip zero-length attributes when sending packets, instead of erroring out. FreeRADIUS 3.0.10 Mon 05 Oct 2015 15:00:00 EDT urgency=medium Feature improvements * Do more optimization of unlang policies. This makes run-time a bit faster. * Re-name most of the functions in src/lib. Third-party module authors will have to do the same. * More documentation on contributing and how to write modules. * Update radiusd.service for systemd. * Open IPv6 proxy socket if the server is listening on IPV6 auth / acct / coa packets. * Create debian packages for DHCP. Fixes #1125. * Add more tests for "update" section parsing. * Update "man" pages. * Update attributes for Alcatel 7750 * Add dictionary for Boingo Wi-Fi * Add support for DHCP lease queries. See raddb/sites-available/dhcp * On HUP, check all modules for config files which have changed. And only re-load those modules. * Allow FreeRADIUS-Response-Delay(-USec) to be set for RADIUS packets. Patch from Herwin Weststrate. * Documentation fixes from Alan Buxey and Matthew Newton. * Update "logrotate" script. * Added more RFCs to doc/rfc for new standards implemented by FreeRADIUS. * Don't crash when doing "radmin -e "help hup". Patch from Matthew Newton. * The dictionary parser now does more sanity checks, which prevents run-time problems with invalid attributes. * Update debian packages. Patches from Christopher Hoskin. * Many other debian packaging fixes from Matthew Netwon and Herwin Weststrate. * Add "session-state" to Perl. Patch from Herwin Weststrate. Bug fixes * Fix rlm_files so that there are no collisions when loading 10's of 1000's of users. * Fix radclient to use our internal v4/v6 parsing functions. v6 addresses with ports now work correctly. * Fix sending/receiving packet messages to wrap v6 addresses in square brackets '[]'. * Check for sasl/sasl.h when building rlm_ldap, and disable SASL functionality if unavailable. * Fix issue which caused a non \0 terminated buffer to be assigned to attributes if the value being assigned contained an invalid escape sequence. * Fix deadlock when reconnecting connections in the connection pool. * Fix potential overrun in functions that used fr_utf8_char with a non nul terminated buffer. * Fix decoding issue for Tunnel-Password type attributes which were very long. Found by Denis Andzakovic. * Fix radclient issue with TCP sockets on FreeBSD. * The server now creates ${run_dir} and ${logdir} directories in daemon mode, when running as "root". * Handle tags when using maps. Fixes #1191. * Fix crash when CoA packets time out. * Fix parse error in rediswho * Fix regex support in SQL radcheck the "users" file and radsniff. * Register listen xlat earlier, so that it's available when the virtual servers are being parsed. * Parse Ascend-Data-Filter when given as "0x..." * Print Ascend-Data-Filter correctly. Add test cases for both. * Allow old-style clients again. They will be disallowed for 3.1.0 and following. * Complain instead of crash when "else" and "elsif" are in the wrong place. * Clean up memory more aggressively. This lowers the maximum memory used, most typically for TLS based EAP methods. * Prevent the server from unlinking the control socket of an already running instance. * Fallback to using the configured OCSP URL if one exists, and no URL is provided in the certificate. * Return CoA-NAK if proxying CoA fails. Based on patch from Jorge Pereira. * Lower peak memory usage by decreasing size of internal memory pools. * The control socket is now left in place if a second copy of the server is accidentally started. * Allow virtual attributes in "switch", "case", etc. Fixes #1240 and #1265. * Many spell check / typo fixes in comments and example configuration files. * Better handle multiple DHCP listeners. * Don't print secrets for old-style realms. Fixes #1267. * Don't fall through in empty "case" statements. Fixes #1274. * Update EAP-TTLS so that MPPE keys are correctly calculated with TLSv1.2. * Always delete MS-MPPE-* from the TTLS inner tunnel. This allows TTLS / EAP-MSCHAPv2 to work. Fixes #1206. * Fix off by one error that caused some MSCHAP-Error messages to be sent without the password change version (V=3) and the textual message component (M=). * Always include C= V= and M= in MSCHAPv2 errors. RFC 2759 does not say that any of these fields are optional, and not including V= caused errors with wpa_supplicant. * Do not include M= in MSCHAPv1 errors. It's not supported. FreeRADIUS 3.0.9 Wed 08 Jul 2015 12:00:00 EDT urgency=medium Feature improvements * Make "pool" configurations more consistent, and update documentation for them. * Move connection pool logic to "most recently started", instead of MRU. This should help with pool stability. * More VSAs for 3GPP2 * Added examples of multi-value attributes to rlm_perl. * LDAP-Group and SQL-Group attributes are now dynamically allocated. * Only the "sql" module registers SQL-Group. Other instances register "instance-name-SQL-Group", similarly to "ldap". * Unknown attributes are now complained about more often when used in unlang statements. e.g. if (Foo-Bar == 3) used to be a string to string comparison. It is now a parse error. * Rename RLM_COMPONENT_* to MOD_* in the code. This makes many things easier. * Move to C99 initializers for modules. * Load modules in raddb/mods-enabled. This allows attributes like "LDAP-Group" to be used in the "files" module, without explicit ordering or listing in "instantiate". * Added 'bootstrap' section to modules. Third-party modules will need to be updated. * When adding clients from a DB, add them to a virtual server if that virtual server has a "listen" section. Otherwise, add the clients to the global list. * When reading dynamic clients from a file, don't expire them if the underlying file is unchanged. * Allow the server to originate CoA requests from the post-auth stage. * The server creates ${run_dir} and ${logdir} in daemon mode, if they do not already exist. * Add dictionary for Wi-Fi Alliance Hotspot 2.0. The server now supports all mandatory and optional attributes for this specification. * HUP now re-loads the configuration only if the files have changed. If all files are unchanged, HUP re-opens the log file, and does nothing else. * Much better debug messages for EAP-TLS, including which attributes are cached, and when they are retrieved. * Increase default max_requests to 16384. Memory is cheap now. * Added "stats memory" commands to radmin. Debug build only. * Aptilo controller dictionary updates. * SQL modules now use Acct-Unique-Session-Id everywhere. * The redis modules are now stable. * The LDAP module now supports SASL "interactive bind" method. This allows Kerberos based administrator and user binds. * DHCP code is now in libfreeradius-dhcp. * More DHCP encoding / decoding unit tests. * rlm_replicate can now be listed in the "accounting" section. * Better sqlite debugging output. * Remove "required" option from many sql_ippool directives. * Set default CA "basic constraints" to "critical". Fixes #1073 * Updates to help / man pages from Jorge Pereira. * Added more tests. Bug fixes * Be more careful about unused config item warnings when using -Xx. * Move more defines to be auto-generated. * Allow virtual servers in proxy fallback. * Allow %{module:} to work. * Don't crash in RadSec. Closes #980. * Return better errors when a unix group / user is not found. * Re-enable detail module "locking" parameter. * Don't crash when logging replies from Status-Server packets. * The couchbase module now uses "update" instead of "map", for consistent with the rest of the server. See raddb/mods-available/couchbase * Don't require NT-Password for MS-CHAP password changes. * Be a bit more careful about decrypting MS-CHAP-MPPE-Key attributes. Closes #1013. There is no perfect fix, tho. * Fix security issues with EAP-PWD. See http://freeradius.org/security.html#eap-pwd-2015 * Fix dynamic clients read from SQL in non-debug mode * MS-CHAP now allows retries (i.e. password change) when passwords are expired. * Allow "user=radiusd" when the server is already user "radiusd" * suid up/down works on non-Linux systems. This means that the control socket should have the correct ownership. * Fix issue which caused the server to sometimes have problems when a home server was marked zombie. * Fix format.pl because Perl is now more picky. * Fix proxy to Packet-Dst-IP-Address, so that it uses the correct destination port. * Fix corner case with cursor functions and removal. * OpenDirectory fixes and documentation. * Fix leaks in rlm_redis. * RFC 6929 "evs" attributes are now encoded / decoded properly. * Fix talloc pool leaks when receiving malformed or retransmitted Accounting/CoA requests. * Printed attributes again use double quotes instead of single quotes. * Set X509_V_FLAG_CRL_CHECK_ALL, and add "check_all_crl" to eap.conf. Fixes oCert CVE-2015-4680. * rlm_expr now errors out correctly on malformed attribute references instead of triggering an assert. * Make "break" work in "foreach" loops * Allow dynamic expansions to work again in the "hints" file. * Correct minor typos in comments and examples from Alan Buxy. * Re-urlencode the path portion of ldapi:// urls before passing it to ldap_initialise. FreeRADIUS 3.0.8 Wed 22 Apr 2015 13:30:00 EDT urgency=medium Feature improvements * Allow syslog_severity to be set in rlm_linelog. * Allow defaults to be set for bulk clients in LDAP and couchbase. * Updates to dhcpclient. Patches from Nicolas C. * rlm_mschap now supports direct connections to winbind, which is faster than ntlm_auth. See raddb/mods-available/mschap. Patch from Matthew Newton. * Recommend /dev/urandom for TLS randomness, instead of ${certdir}/random * Allow TLSv1 to be disabled via "disable_tlsv1" in tls{}. * Allow Expanded EAP types where vendor is 0 (IETF) and type is normal EAP type. Supplicants sending Expanded EAP types like this are broken. * Add support for server side sort controls when searching for user objects in rlm_ldap. Bug fixes * Don't complain about "authorize" in "server {}" blocks, but only if there's no "server" block. * Fix cosmetic issue where debug from the first packet read by a detail reader thread would be emited during config parsing. * Fix ASSERT on truncated detail packets. * Don't use main server log functions from within panic_action, as in the case of syslog this would cause deadlocks if the fault was triggered from within a malloc. * Fix issue in "switch" when "correct_escapes = false". Fixes #911. * Fix sqlcounter configuration to use "%%b" instead of "%b", otherwise the new syntax validation will fail. * Allow forward references in configuration items. Modules aren't always loaded in a sane order. * Fix more escaping issues. Closes #912. * Decode MAC addresses correctly for VMPS. * Fix memory leak with TLS connections. * Fix state machine threading issues for conflicting packets. * Fix copy_request_to_tunnel issues for tagged attributes. * Allow "ok" to over-ride "updated" inside of Auth-Type sections. * Update state machine so that post-proxy is run though child threads for performance, instead of blocking the main thread. * Allow "netmask" to work again in client definitions. * Relax restrictions on SQL group queries. * track outgoing proxy sockets and clean them up more aggressively. * track proxy statistics, including CoA and Disconnect. * If radmin has a connection failure when running a command, it re-connects and runs the command again. * mark home servers "unknown" less aggressively. * Fix potential SEGV in PostgreSQL driver on error. * Fix issue where fields like nas_type would not be accessible via the %{client:} xlat, for dynamic clients. * Set default busy_timeout (of 200ms) in the sqlite driver, so writes don't cause selects to fail in multithreaded mode. This is user configurable, and may be increased if required. * Convert Password-With-Header attributes to binary (from hex or base64), in the authorize method of rlm_pap. * Fix invalid assert in state.c, that could cause abort in post-auth. * Fix double free when -m flag is used, and connection pools are referenced by multiple modules. * RADIUS over TLS accounting uses the same port as authentication. * Regularized return codes from radmin commands. * Fix RHEL spec file so it works correctly for Centos7 which uses systemd, and didn't like the SystemV init script. * radwho and radlast now have a -D option to load dictionaries * DHCP packets are no longer checked for duplicates. * Don't crash in sql module group comparisons in corner case. * Calculate MPPE keys correctly when using TLS 1.2. * Fix load-balance sections. Closes #945 * TLS certificates are available again in the post-auth section. They are not available for session resumption. * radclient encodes CHAP-Password properly when using -c. Closes #955. * Fix issue in rlm_cache_memcached driver that caused variable length values to be truncated. * Fix track functionality in detail reader, so it no longer fails with a "Failed marking detail request as done: Bad file descriptor" error. * Actually add the peer identity (as User-Name) to the inner tunnel in EAP-PWD requests, so it's available for lookups. * Fixes to PostgreSQL queries. Patches from Santiago Gimeno. FreeRADIUS 3.0.7 Thu 19 Feb 2015 12:00:00 EDT urgency=medium Feature improvements * Allow coa home_servers to be derived from client sections if a coa_server section is provided. * Automatically determine the correct port if no port is provided for a home server. * Allow foreach to operate over lists. * Add compile time features to ${feature.*} and versions of core libraries to ${version.*}. Feature and version names match output of radiud -xv. %v is now deprecated. * Add support for PATCH method in rlm_rest. * Validate more module xlats on startup, and warn if an xlat expansion is found in a double quoted config item which will not be expanded. * Add support for sub-second timeouts in rlm_rest. * Add support for connection timeouts in rlm_rest. * Add %{jsonquote:} xlat to escape strings for insertion into json documents. * Add %{ldapquote:} xlat to escape strings for insertion into ldap DNs. * Add %{explode:&ref }, splits value of &ref on and creates new &ref type attributes with the fragments. * Allow rlm_ldap to use attribute references for base_dn and filter config items. The attribute references are not escaped, allowing DNs and filters to be created dynamically. * Add %{nexttime:[]h|d|w|y} to calculate the number of seconds before the next hour(s), day(s), week(s), or year(s). * Allow the left side of update sections to be xlat expansions. The result of the expansion is then used to reference the attribute to be modified. * Added %{lpad:&Attribute-Name 7 x} and rpad. These produce fixed-width output strings, with padding to the left (lpad) or the right (rpad). * For some SQL drivers (MySQL, sqlite) distinguish between constraints violations (on insert), invalid queries, and server errors, and return noop, invalid, and error respectively. * Call SHOW WARNINGS in the MySQL driver and write them to the request log, if libmysqlclient indicates warnings are available on the server. * Forbid the creation of Vendor-Specific for non-standard VSAs. Use Attr-26 = 0x... instead. * Make dhcpclient work with raw sockets and various other improvements - Contributed by nchaigne * Add support for SSHA2 - Contributed by PDD. * Add perle dictionary - Contributed by Hachmer * Modernise init scripts for RHEL, SUSE and Debian. * radmin now tracks the return code of commands, and exits with status "1" if any command failed to execute. * radmin now sends error messages from the server to stderr, instead of to stdout. * radmin now looks for sockets matching it's UID and GID, rather than just always using the first one it finds. * radmin can how delete clients which are tied to a listener. * Moved RADIUS attribute definitions to src/include/rfc*.h * Move to talloc pools for requests. For in-memory tests (default config, 'users' file), performance increases by 30%. * In rlm_ldap allow sasl_mech to be specified for admin and user binds. Only non-interactive mechs (like EXTERNAL) are currently supported. * Remove support for ephemeral RSA keys. They were "export only", and should not be used by anyone. * Syntax errors in the "users" file now produce better error messages. Bug fixes * Fix issues parsing LDAP hostnames with non-standard ports. * Fix issues with realms containing regular expressions. * Allow unary negation before parantheses in rlm_expr. * Fix infinite loop in kevent event loop code. Issue only presented on FreeBSD. * Be more careful to define Auth-Types before loading modules. * Link libfreeradius-radius against OpenSSL too, to avoid multi-version symbols in SSL libraries. * When rlm_ldap rebinds a connection, it should use bind credentials from the module that created the connection pool, not credentials from the module referencing it. * Empty server config pairs should be allowed in rlm_ldap instances that reference another module's connection pool. * Mark rlm_always as huppable, so its rcode can be changed via radmin (allows policy toggles). * Emit warnings when ignoring user configured pool values. * Fix issue that would cause radclient to complain intermittently about differing numbers of filters and requests. * Fix cosmetic issues in connection pool logging, that made it appear as if the same connection was being opened multiple times. * Fix threadsafety issues in SQL drivers, where a static buffer was used to store error messages. * Log RERROR, RWARN, RINFO to the global log if request logging is not enabled. * Link to libldap instead of libldap_r. libldap_r is not supported for use by projects outside of OpenLDAP. * Set connection timeout correctly in rlm_sql_mysql. * Build with older versions of libcurl, and use CFLAGS from curl-config. * Honour Packet-Src-Port and Packet-Src-IP-address in radclient. * Initialise ldapai_info_version field, so libldap will report its vendor and version. * Fix log rotation scripts by using the copyrotate option. * Fix issue that caused opening control sockets to always fail on non-Linux systems, if a user or group was set. * Save Session-State after proxying. * Additional fixes for reading CoA/DM requests from detail files. * Create dynamic clients if the dynamic clients virtual server returns ok *or* updated. Emit useful messages for other codes. * Compile bare "authorize" statements, and issue errors saying using them isn't a good idea. FreeRADIUS 3.0.6 Wed 17 Dec 2014 16:00:00 EDT urgency=medium Feature improvements * radmin / raddebug conditional errors are printed to the output, instead of being discarded. * raddebug will exit if condition set with -c was invalid. * radmin auto-reconnects if the connection to the server has gone away. * rlm_cache now has submodule support. See raddb/mods-available/cache * New memcached driver for rlm_cache. See raddb/mods-available/cache * Add support for &Attribute-Name[*] in conditions. See "man unlang" for details. * Add &Attribute-Name[n] which gets the last instance of an attribute e.g. Module-Failure-Message[n]. * Allow for redundant string expansions. See the "instantiate" section of radiusd.conf. * When checking IP addresses in conditions, make the right side be parsed as an IP prefix. * Support JIT compilation of compiled regular expressions when built with libpcre. * Support named capture groups with "%{regex:}" when built with libpcre. * Increase regular expression capture groups from 8 to 32. * Emit error markers for badly formed regular expressions. * Allow 'm' flag to enable multiline mode in regular expressions. * Support limited implicit attribute conversion in update sections. * Support casting between IPv6 and IPv4 where the IPv6 address has the v4/v6 mapping prefix (::ffff:). Bug fixes * PEAP works again. As does proxying EAP-MSCHAPv2 from inside of a PEAP tunnel. * "group" is allowed inside of "instantiate" sections. * update disconnect {} with disconnect:Packet-Dst-IP-Address now works correctly. * Regular expression comparisons of non string attributes are now disallowed in the files module. Previously they would silently fail or produce undefined behaviour. * Fix parsing of old regular expressions. Closes #842 * Fix off by one error in ascend filters. Closes #843. * Handle NT-Hash in rlm_pap. This allows passwords to have backslashes in them. * Fix infinite loop on "Fall-Through = yes" when processing SQL groups. * Correct the check of SQL query return code. * Run "Post-Auth-Type Reject" if the request was rejected in post-auth * Write "Login OK" only if the post-auth section passed. * Create TLS-Cert-* certificates, even when EAP session caching is disabled. * Finalize the "correct_escapes" with many more tests. * Move to the new OpenLDAP libldap API, fixes more issues with binary values. * Fix potential memory corruption in rlm_ldap if start connections were set to 0, and the server was running in threaded mode. The fix is a workaround for an issue in libldap and was suggested by Howard Chu. * Give parse errors on "%{...", without the closing brace. * Allow spaces in certificate passwords for build rules in raddb/certs// * Make all regular expression evaluation binary safe. Where that's not possible, emit an error if the pattern or subject contains an embedded null byte. * Fix various issues around masking IPv6 addresses. * Give descriptive error if unknown attributes are used in "update" sections. * Deal with cases where ldap_initialize isn't available gracefully, and use it exclusively when it's available. FreeRADIUS 3.0.5 Fri 21 Nov 2014 15:30:00 EDT urgency=medium Feature improvements * Large update to Huawei dictionary. * Added dictionary.rfc7155 * Regular expressions like /%{User-Name}/ are now parsed and validated when the server starts. * All configuration items which are dynamically expanded are now parsed and validated when the server starts. * %{expr:...} expressions can now do bit shifting and more. See raddb/mods-available/expr. * The detail file reader can now track packets which have had replies, so they are never re-transmitted. See raddb/sites-available/buffered-sql, the "track" config item. * CoA and Disconnect packets can now be sent to a specific home server by setting control:Packet-Dst-IP-Address and (optionally) control:Packet-Dst-Port. * Allow CoA and Disconnect packets to be read from the detail file. * Allow LDAP to specify arbitrary attributes for dynamic clients. * Convert all unused attributes in the control: list to config pairs in dynamic clients. This allows arbitrary client attributes to be set for dynamic clients too. * rlm_couchbase now supports bulk loading of clients on startup in a similar way to rlm_ldap. Contributed by Aaron Hurt. * Allow one level of backslashes (finally). See radiusd.conf, "correct_escapes" setting. * Rename dictionary.redback to dictionary.ericsson.ab * Add --disable-openssl-version-check option to configure. So vendors can disable the check. Patch from Nikolai Kondrashov. * Do context-specific indenting in debug messages. This makes the debug output easier to read. * Make configuration a separate RPM, just like for Debian. * better decoding of unknown VSAs * When supported by OpenSSL, allow TLS 1.1 and TLS 1.2 in EAP methods. * Allow multiple new connections to be spawned simultaneously in the connection pool, to cope with spikes in traffic. * Document retry_delay in connection pools. * Allow checksimul in rlm_couchbase. * Use kqueue on systems which support it. This allows for better scaling when using many sockets. Bug fixes * Parse list qualifiers in generic LDAP 'valuepair_attribute' attributes correctly. * Fix issue where prefix length would be ignored for dynamic or static clients if the address matched INADDR_ANY (0.0.0.0). * Allow null user object filter in rlm_ldap, it's valid to specify a complete object DN and use the base scope. * Don't SEGV if a received attribute value in a JSON structure is null, or a value can't be stringified. * Don't assert if the server returns a JSON content-type and the server hasn't been built with support for JSON. Closes #808. * Set CURLOPT_NOSIGNAL to prevent curl from handling signals and causing a longjmp error when the server was running with threads. * Allow tabs after attribute names in the "users" file. Closes #796. * Free unknown DICT_ATTRs. Closes #795 * Handle unknown attributes in the conditions and "update" sections. e.g. Attr-1.2.3.4 = foo. * Use correct array size for MS-CHAP new password. * In rlm_rest, check for older versions of libraries at start time, rather than when a packet comes in. * Don't call detach on parse error in rlm_perl. Closes #802. * Integer fixes for big-endian systems. Closes #803. * Don't optimize %{Packet-Src-IP-Address}. Closes #804. * dhcpclient loads dictionaries correclty. Closes #805. * double quotes are no longer escaped in single-quoted strings. e.g. 'foo "hello" bar'. * Fixes for proxying to virtual servers broke the detail file reader. Now they both work. * Typos and fixes from Nikolai Kondrashov. * Fixes to OpenSSL version checks, for cross-platform issues. * cppcheck fixes from Herwin Weststrate. * Fix build for OSX Yosemite * Merge DHCP sub-options. Closes #812. * Fix decoding of Starent attributes. * When a module asks for a connection, don't return idle connections. * LDAP connection timeouts will now retry, instead of failing. * Prevent race conditions between fork and wait for child. Patch from James Rouzier. * Fix triggers for connection pools. Patches from Nikolai Kondrashov. * Fix SEGV when comparing non string type check items. * Build with newer versions of libmysqlclient. * make the %{escape:} and %{unescape:} xlat functions UTF8 safe. * Don't escape UTF8 chars in SQL query strings. * Fix issue in cached LDAP group comparisons, which caused checks to sometimes fail. * Fix use after free issue in unlang switch evaluation. * Respect operators in rlm_cache when merging into the current request. * Update Cache-Entry-Hits each time rlm_cache is called. * Produce WARN messages if SQL queries are empty strings. * Fix invalid assertion when proxying CoA requests. * Allow empty strings in "case" statements. Closes #836. * Normalize escaping for string expansions. i.e. don't do double escaping in rare situations. * Normalize LDAP escaping. LDAP servers have multiple ways to escape things, so the data has to be normalized before we can compare two LDAP DNs. * Don't go to high debug level if we're proxying inner EAP as EAP. Closes #839. * Fix rlm_rest state handling. Closes #835. FreeRADIUS 3.0.4 Wed 10 Sep 2014 12:00:00 EDT urgency=medium Feature improvements * Home server "response_window" can now take fractions of a second. See proxy.conf. * radmin now supports "show module status", as thee counterpart to "set module status" * Added dictionary ericsson.packet.ccore.networks, bluecoat, citrix, compatible, riverbed, ruckus, and RFC 7268. * Add %{tag:} expansion to get the tag value of an attribute. * Report 'application_name' in connections to PostgreSQL servers. FreeRADIUS connections will now appear as 'FreeRADIUS - ' in pg_stat_activity. * All config item fields are now type checked at compile time to prevent issues similar to #634 occuring again. * Modify pairparsevalue to deal with embedded NULLs better, and use the binary versions of attribute values in rlm_ldap. * "ipaddr" will now use v6 if no v4 address is present. You should use "ipv4addr" or "ipv6addr" to force v4/v6 addresses. * The above applies to "listen", "home_server", and "client" sections. * "client" sections will allow "ipaddr = 192.192.0/24". The old "netmask" is still accepted, but the new format is preferred. * Allow custom HTTP headers to be set for rlm_rest requests using control:REST-HTTP-Header (attributes consumed after use). * Extend format of %{rest:} expansion to allow HTTP method and POST data to be specified e.g. %{rest:POST http://example.org/api foo=bar&baz=boink}. * Add %{hmacsha1:&data &key} and %{hmacmd5:&data &key} expansions for signing data in requests. * rlm_cache now consumes its control attributes to make runtime configuration easier. * Add control:Cache-Read-Only which when set to 'yes' will make the cache module merge existing cache data, but not create new entries. * Add %{unescape:} and %{urlunquote:} expansions to reverse escaping and urlquoting. * Add support for aliases in rlm_ldap. * Add support for connection pool sharing to all modules that use the connection pool (pool = ). * "tls" sections now have a "psk_query" configuration item, for dynamic queries to discover a key from a PSK identity. * Preliminary support for EAP channel bindings. * Foundational work for dynamic home servers. They do not yet work, but this is now only a matter of updating the "realm" module in a future release. * Support &attr[*] syntax to copy all instances of an attribute when used with the += operator in an update section. May be qualified with a tag. * The logintime and expiration modules can now be listed in the post-auth section. This makes some configurations simpler. * Allow comparison of integer attributes of different sizes, without requiring a cast. * rlm_sqlippool is now IPV6 capable. Set "ipv6 = yes" to get Framed-IPv6-Prefix returned. The SQL queries have NOT been updated. Please submit patches. * The debian build now checks for the OpenSSL package with the heartbleed fix, and if found, sets: allow_vulnerable_openssl = 'CVE-2014-0160' * allow bootstrap from multiple files in sqlite driver. Bug fixes * make case-insensitive regular expressions work again, and add tests for them. * A few more talloc parenting issues * Fix delayed proxy reply handling. Closes #637 * Fix OpenSSL initialization order when using RADIUS/TLS. Fixes #646 * Don't double-quote strings in debugging messages * Fix foreach / break. Fixes #639 * Chargeable-User-Identifier, ADSL-Agent-Circuit-Id and ADSL-Agent-Remote-Id should be "octets" types in the default dictionary. * Fix typo in mainconfig. Fixes #634 * More rlm_perl fixes. Fixes #635 * Free OpenSSL memory on clean exit. * Fix [0] !* ANY - Was removing all instances of * Fix case where multiple attributes were returned from RHS of mapping, as with rlm_ldap. Fixes #652 * Fix corner case in cursor where using fr_cursor_next_by_da after calling fr_cursor_remove may of resulted in a read of uninitialised memory. * Don't SEGV if all connections to a database server go away. Fixes #651. * Fix issue where -= was not removing tagged instances of equal to (only untagged). * Fix issue where tag values were not being set on attributes created with unlang/ldap update blocks. * Create rlm_sqlcounter attributes as integer64 types instead of integer types, so large counter values can be specified. * Fix issue where specifying a dynamic client IP addresss using FreeRADIUS-Client-IPv6-Prefix or FreeRADIUS-Client-IP-Prefix may have caused a validation error. * Don't print two "&" for messages about attribute or list references in debug output. * Fix urlquote and escape to encode Unicode characters correctly. * Fix redundant-load-balance blocks to try other modules in the group if one fails. * Fix issue with rlm_pap password normalisation where 'known good' password strings stored in octets type attributes, would be sometimes misnormalised as base64. * Don't stop processing DHCP options if we find a 0x00 padding option. * Fix issue where modifying the value of an attribute created from a template with a literal value, may have resulted in the template literal being freed. * Fix parenting issues in tls code which may have resulted in memory corruption and crashes. * Fix issue in radsniff where writing to PCAP files and using -R response filters, where the requests would still be written to the PCAP for non matching responses. * Define __APPLE_USE_RFC_2292 so that the server builds with IPv6 support on OSX. * Fix LDAP group lookups for named rlm_ldap instances. Note that attribute references should be used when checking LDAP-Group attributes. e.g. if (&LDAP-Group == 'foo'). * Delayed attribute references can now be used in unlang existence checks. i.e. if (&Attribute-Name) { ... } * Fix issues in EAP-PWD. CVE-2014-4731, CVE-2014-4732, and CVE-2014-4733. There is no external authentication bypass. * Fix a number of uses of the talloc parent/child reference. * Release connection used for reading bulk clients in rlm_ldap. * rlm_rest is now fail-safe if it's used without any configuration * Pull in build fixes for FreeBSD from ports. * Fix error in sqlite postauth query * Evaluate argument to "switch" statements once, instead of for each "case" statement. * Define sig_t on systems without it. Closes #765. * Fix boundary issue with rlm_rest. Closes #768 * Optimize "%{Attribute-Name}" in comparisons only if the dictionary types match. * Don't do chmod() in rad_mkdir() if the directory already exists. We might not have permission to change it. * Use getpwnam_r() and getgrnam_r() on systems which support it. Closes #775. * Clients loaded from SQL are now tied to the "listen" section of a virtual server, instead of being global. * Check for -lpcre. The system might have pcre.h without -lpcre. * When proxying to a virtual server, use the proxy_reply instead of ignoring it. * Fixed typos in DHCP SQL IPPool. * Fix crash when passing multiple arguments to Perl xlat. FreeRADIUS 3.0.3 Mon 12 May 2014 15:30:00 EDT urgency=medium Feature improvements * Everything now builds with no warnings from the C compiler, clang static analyzer, or cppcheck. * rlm_ldap now supports defining the LDAP attribute name via backticked expansion (i.e. shell command) in RADIUS <-> LDAP mappings. * rlm_ldap now supports older style generic attributes. * dynamic expansions (e.g. "%{expr:1 + 2}" are now parsed when the server starts. Syntax errors in the strings are caught, and a descriptive error is printed. * Static regular expressions (e.g. /a*b/) are now parsed when the server starts. Syntax errors in the strings are caught, and a descriptive error is printed. * dynamic expansions are cached after being parsed. They are no longer re-parsed at run-time for every request. * regular expressions are now parsed and cached when the server starts. * Added the %{rest:} expansion to rlm_rest, which will send a GET request to the URL passed as the format string. Any body text will be written to the expansion buffer. * rlm_rest now available as a debian package. * When an 'if' condition statically evaluates to true/false, unlang does more static optimization. For examples, see src/tests/keywords/if-skip * All modules are marked as safe for '-C', which lets the dynamic expansion checks work in more situations. * Added 'none' and 'custom' rlm_rest body types. 'custom' allows sending of arbitrary expanded text and content-type headers. * Added "config" section to Perl. See mods-available/perl * Added '%v' which expands to the server version - Patch from Alan Buxey. * more mis-matched casts are caught in "if" conditions, and descriptive errors are printed. * Support basic response validation in radclient. This allows administrators to write local test cases for their site-specific configurations. * Removed radconf2xml and radmin "show client config" and "show home_server config". * Forbid running with vulnerable versions of OpenSSL. See "allow_vulnerable_openssl" in the "security" subsection of "radiusd.conf" * Catch underlying "heartbleed" problem, so that nothing bad happens even when using a vulnerable version of OpenSSL. * Add locking API for sql_null, linelog, and detail modules, which should improve performance and work around issues on platforms with bad file locking. * Allow DHCP NAKs to be delayed, via setting reply:FreeRADIUS-Response-Delay = 1 * Allow tag and array references anywhere attributes are allowed in "unlang". * many enhancements to radsniff, including output to collectd, ipv6 support and packet loss statistics. * Many dictionary updates (ZTE, Brocade, Motorola). * rlm_yubikey now automatically splits passwords from OTP strings. * The detail file reader is now threaded by default. This should improve performance reading the files. Bug fixes * Fix xlat expression %{attribute[n]} so that it actually returns the n'th attribute instead of the first one. * Don't parse string on RHS of update {} when using unary operators (!*). The RHS should always be ignored. * Check for more optional functions in json-c so we can Build with libjson0, which is the name of the json-c package on debian/ubuntu. * Fix issue in radmin where the main dictionaries would not be loaded which, depending on the configuration, may have caused validation errors. * Fix handling of "%{reply:3GPP-*}" * Fix rlm_perl garbage attributes * Fix oracle SQL queries, which amongst other things still used the old expansion format, which is no longer supported/parsed. * Truncate long format strings and error markers instead of omitting them. * Fix multiple attribute parsing in rlm_rest JSON. * Don't crash in rlm_rest if connect_uri is commented out in the configuration. * Don't double-escape strings to / from Perl. You may need to double-check your Perl scripts if they use "\" characters. See mods-available/perl for documentation. * Don't re-run "authorize" if a home server fails to respond. * Don't append "0x" to hex output of octets types, for xlat expansions. This is the same as v2, and makes it easier to concatenate multiple attributes of type "octets" * FreeBSD fixes for execinfo linking. * Make some of the module configurations more consistent. * Fix corner cases where STDOUT wouldn't be closed in daemon mode. * Re-enable "update coa" and originating CoA requests. * Prevent multiple threads writing to the sql query logs. * Fix zombie period calculation. Closes #579 * Properly parent VPs for talloc, when moving them in map2request. * Various fixes for talloc parent / child relationships * Allow rlm_counter to support VSAs. * Normalize return codes for many modules. "do nothing" is noop, not "ok". * Run Post-Proxy-Type Fail. Closes #576 * Fix DHCP destination port for replies to relays. Closes #591 * Do-Not-Respond policy works again Closes #593 * Proxy-To-Virtual-Server works again. Closes #596 * Build fixes for ancient systems. Closes #607, #608, #609. * %{Module-Return-Code} works again. Closes #610. * Don't increment statistics for Status-Server responses. Closes #612. * A duplicate request isn't a duplicate if the original one is marked "done". This should lower retransmissions from clients. * Fix multiple regular expression and glob memory leaks. * Don't allocate any memory in fr_fault() as it can cause malloc to deadlock. * Temporarily set dumpable flag before calling system in fr_fault() else the debugger may not be able to attach. * Set nonblock on all TCP client sockets. * Fix minor buffer overrun in mschapv2 where some attribute strings were not correctly \0 terminated. * Fix crash on authentication failure with MIT kerberos. * Fix code so that octal escape sequences aren't prematurely unescaped in rlm_sql, radclient, preprocess, and other places. This may require configuration changes, as these sequences will no longer need double escaping (\\) of the backslash. * The connection pools no longer have one connection used twice in certain rare conditions. * Use self pipes for internal signals. The code was there, but was unused. * Don't crash if there are outstanding EAP sessions and were told to exit gracefully. * Fix typo in dictionary.rfc4072 FreeRADIUS 3.0.2 Fri 21 Mar 2014 08:30:00 EDT urgency=medium Feature improvements * secret keys and LDAP / SQL passwords are now printed as '<<< secret >>>' in debugging mode. Use -Xx to see the actual passwords. * Print out more information about passwords in -Xx, including hashes, comparisons, etc. * Allow cast (and implicit conversion) of integers to IPv4 addresses * More xlats allow attribute references. This means they can operate on binary data. e.g. expr, base64, md5, sha1. * Added more tests. * The dictionaries are now auto-loaded. raddb/dictionary should no longer have $INCLUDE ${prefix}/share/dictionary * A "panic_action" can be set to have the server dump a gdb log on SEGV or other fatal error. See radiusd.conf * Add support for SHA-224, SHA-256, SHA-384, SHA-512 to rlm_pap. * Add "%{sha256:}" and "%{sha512:}" xlat functions. * Cache CUI in EAP session resumption. * templates can now have sub-sections, which will be included in the section referencing the template. * Update more dictionaries. * Added more instances of the "always" module, for all return codes. * Suppress broken NASes when proxying. Retransmits which occur more than once per second are rate-limited to once per second. * Allow '&' in more xlat expansions. * Update PostgreSQL schema and queries to record last updated time, and accounting interim. * Optimize more "if" conditions when the server loads. This will avoid work at run time. e.g. ("foo" == "bar") --> FALSE. * Allow removal of all attributes within a list with !* operator. * Allow list to list copies with request qualifiers (outer.). * Add support for ipv4 prefixes and ipv6 addresses and prefixes to %{integer:}. * allow radmin command "set module status " which can be used to forcibly enable/disable modules. * pap module now assumes Cleartext-Password if Password-With-Header doesn't have a {...} header. * Added "unpack" module. It can unpack binary data from horrible VSA formats. See raddb/mods-available/unpack * Added example IP Pool for DHCP, using sqlite. From Matthew Newton See raddb/mods-config/sql/ippool-dhcp/ Bug fixes * Fix SQL groups. * Fix operation of fr_strerror() with RE*() macros. * Don't assert if the connection we're trying to reconnect is not in_use. * Fix %{mschap:User-Name} xlat. * Allow comparisons of signed integers and of ethernet addresses. * Fix parsing of text-based ascend binary filters. * Fix a few minor Coverity and clang analyzer issues. * Log WARNING and ERROR prefixes only once, not twice. * Fix attribute truncation seen in Perl and other places. * Use correct port when DHCP relaying. * Fix behaviour on FreeBSD where sending packets from an interface bound to an IP address would fail when the server was built with udpfromto. * Don't abort() when freeing home servers on exit. * Fix edge case in pairmove() when some attributes could be over- written. * Do checks for individual sqlite v2 functions so rlm_sqlite builds correctly with more versions of the library. * In heimdal kerberos, create MEMORY ccaches on a per context basis. This prevents issues with the root ccache being used. * Fix corner case with proxying, where home server goes down. * Rate-limit "max_requests" complaint. We don't want to fill the logs when something goes wrong. * Use /dev/urandom for raddb/certs/random, if it exists. * Issue WARNING that old-style clients should no longer be used. * Auto-set secret to "radsec" for tcp+tls home servers. * Fix double free in home_server_add when there is a parse error on startup. * rlm_unix checks if the dictionaries are broken, instead of crashing * Fix potential memory corruption when normalising salted password hashes from hex, where the combined hash and salt was > 64 bytes. * Register sqlcounter attributes correctly, and other issues with it * treat 127.0.0.1/32 as being identical to 127.0.0.1 * Don't mangle error output of SQL drivers like PostgreSQL * Fix usage of "tls = ${tls}". It could previously cause problems when the reference was used multiple times. * Fix TLS session leak for incoming sockets. * Try harder to clean up memory on exit when using "-mM" * Fix memory leak when home server is down for RadSec connections * rate-limit outgoing connection attempts when the home server is down. It will retry no more than once per second. * When parsing ipv6 address prefixes, always mask off the host portion. * Fix rlm_counter so that it does not create two reply attributes. * Fix issues with DHCP Sub-TLVs where the value of the first Sub-TLV would appear corrupted, and subsequent TLVs would not appear in debug output. * Initialize scope in IP address parsing * Prevent vendor attributes and RFC space attributes from clashing in rlm_attr_filter. * Set source IP address for DHCP packets from DHCP-Server-IP-Address, or DHCP-DHCP-Server-Identifier, if we're unable to otherwise determine the source IP. * Fix POST attribute parsing in rlm_rest. * Fix JSON attribute parsing in rlm_rest. * Don't append trailing & to POST options in rlm_rest (minor). * Process HTTP 100 Continue messages correctly in rlm_rest * Fix generation of long > 512 byte POST payloads, where attribute values on the chunk boundary may have been omitted in rlm_rest. * Remove duplicate escape sequence parsing in rlm_sqlippool and rlm_sqlcounter which caused issues with escaping %. Escape sequence parsing is now handled purely by the xlat functions. * Ensure %% is treated as a string literal, and so not passed to any xlat escape functions for processing. * Correct calculation of Message-Authenticator for CoA packets. Closes #556 FreeRADIUS 3.0.1 Mon 13 Jan 2014 14:30:00 EDT urgency=medium Feature improvements * Add "timeout" to exec, and "ntlm_auth_timeout" to mschap. So that run-away child processes are caught earlier. * Allow TLS clients to use "proto = tls", in which case TLS is required. The shared secret is then set to "radsec". * More documentation in the tls virtual server. * Add "date" module for date formatting. See raddb/mods-available/date. * Added unit test suite for internal server functionality * When loading "update" sections, check if the RHS is a literal value. If so, syntax check it immediately. * Update LDAP module documentation and functionality. The generic attribute can now update lists. * Updated dictionary.extreme. * Update sqlippool to do clears as a separate transaction, and at most once per second. This should help MySQL. * Respect control:Response-Packet-Type for all types of requests. * Add support for SSL encryption to the MySQL driver. * Allow arbitrary connection parameters to be used with the PostgreSQL driver. * Changes to the OpenLDAP schema to fully expose functionality of the new LDAP module. * Update debian packaging to include a freeradius-config package. This package may be provided as a site local package to avoid fighting with the preinstalled config files. Bug fixes * Use correct field for ARP setting in DHCP. * Fix crash on debug condition (#454). * Fix a number of minor issues caught by the clang analyzer. * Set WARNING messages to yellow instead of normal text. * Correct debug colorise logic. Patch from Phil Mayers. * Encode attributes of type "ethernet". No one uses them, but it makes sense. * Work around regex initialization issues. * Fix build when linking against OpenSSL. * Print IDs as positive numbers, which helps for large DHCP XIDs. * Fix issue with sql_ippool. * sqlcounter now uses 64-bit counters, to deal with 4G overflow. * Fix issues with DHCP subsystem. * Don't build / install disabled modules, or their config files. * Fix build for OSX Mavericks, which hid the header files in a magical place. * Fix LEAP buffer issue. You should still avoid LEAP. * Mark "unknown" WiMAX attributes as being WiMAX. * Fix typo in packet decoder for fragmented extended attrs * RPM spec fixes. * Fix rlm_perl build issues when not using threads. * Enable %{Response-Packet-Type} again. * Update configuration file parser to handle "bool" consistently. * Update declarations of global boolean variables to use "bool" consistently. This fixes an issue where some modules were instantiated in "config check" mode and did not work correctly. * Make more messages debug instead of info, to avoid polluting the logs with messages that can't be fixed. * Set operator in internal unlang code to suppress spurious warning messages. * Fix debian packaging. * Added "status" to Debian init script. * Fix "update outer.request" to update the outer request. * Don't print TLS debugging messages when not in debug mode. * Correctly manage counters for "limit" sections of TCP / TLS "listen" sockets. * Fix libldap debug output. * Fix rlm_ldap tls functionality. * Initialise OpenSSL globals early to avoid issues with the PostgreSQL library. * Fix typo in sqlcounter expansion code. Fixes #463 * Overwrite previous instances of SQL-User-Name when adding it to the request. * Work around bugs in both MIT and heimdal versions of krb5_copy_context(), which caused segfaults in multithreaded mode. * Provide meaningful error messages if Heimdal krb5 is used. * Fix attribute supression in rlm_detail. * Exit with error code if child fails to complete server initialisation after forking. This allows init scripts to correctly report whether the server started ok. FreeRADIUS 3.0.0 Mon 7 Oct 2013 15:48:14 EDT urgency=medium Feature improvements * Documentation for upgrading from 2.x is in raddb/README.rst Please follow it. It will make the upgrade easier. * Moved configuration entries in radiusd.conf to make more sense. * Added the "integer64" and "ipv4prefix" data types. * Added RADIUS over TLS (i.e. RadSec). See raddb/sites-available/tls * Updated internal API to support new attributes and formats * Added code to send SNMP Traps. See raddb/trigger.conf. * Added preliminary support for Apple's Grand Central Dispatch * Added provisions for raddb/dictionary.local, for local changes. See raddb/dictionary for more details. * Added packet/s tracking. See max_pps in the "listen" section. * The %{} expansions and "unlang" conditions are now parsed at server start. Descriptive errors are produced for syntax and format errors. * Casting is now supported for "unlang" comparisons. See "man unlang" e.g. 127.0.0.1 == Framed-IP-Address. * Direct comparison of attribute references is now supported. e.g. &Foo == &Bar. This avoids stringification of the attributes. * Direct assignment of attributes is now supported. e.g. Foo := &Bar. It also works for "octets" data types. * Comparisons of IPv4 and IPv6 prefixes are now supported. The "<" operator means "within the prefix" for comparisons. * New sha1 xlat expansion (thanks to Alan Buxey) * Colourised log messages when logging to stdout. Look for yellow warnings and red errors. Doing this will save you a LOT of grief. * If the PCRE library is available, use it (insted of the POSIX functions) to process regular expressions (thanks to Phil Mayers). * -xv now displays all the features the server was built with, and the versions of the core libraries (libtalloc, libssl). Module Changes * Moved raddb/modules/ to raddb/mods-available/, and raddb/mods-enabled/, following the examples of other projects. * Additional files for each module are now in raddb/mods-config/. See raddb/mods-config/README.rst for documentation. * Moved "users" to raddb/mods-config/files/authorize * Moved "hints" and "huntgroups" to raddb/mods-config/preprocess/ * Moved eap.conf to mods-available/eap * Moved sql.conf to mods-available/sql * Moved TLS configuration for EAP into a common subsection. See raddb/mods-available/eap, "tls-config" section. * Added for MS-CHAP Change Password from Phil Mayers. See raddb/mods-available/mschap, "passchange" subsection. * Added EAP-PWD implementation from Dan Harkins * Added connection pools for modules. This unifies connection management which was previously different for different modules. * SQL now uses the connection pool. See mods-available/sql * SQL now supports arbitrary Acct-Status-Types. These changes are not compatible with 2.x. * SQL now has full support for SQLite. See raddb/sql/main/sqlite/ * SQLite supports auto-creation of new databases on server startup for bootstrapping purposes. * LDAP now uses the connection pool. The LDAP module has been completely re-written for performance and simplicity. * LDAP now caches groups. This makes multiple group checks MUCH faster. * Removed all limitations on 253 octet attributes. RFC 6929 allows for attributes up to 4K in length. * New rlm_idn module providing an expansion for performing IDNA encoding of internationalized domain names. Thanks to 'skids'. * New rlm_yubikey module to validate yubikey OTP tokens. See raddb/modules/yubikey Bug fixes * All known bug fixes from 2.2.x are included. * Removed "addport" functionality. * Removed many unused or duplicate modules. See raddb/README.rst. Internal / API changes: * All traces of the old build system have been removed. The new build system is faster and simpler. * clang is fully supported. * We now use "talloc" for memory management. A number of new features required this change. Thanks to the Samba people! * Many internal APIs have been updated to use talloc. * New API for iterating over VALUE_PAIRs. This is in preparation for attributes, in version 3.1. * No new code should directly modify any field of a VALUE_PAIR. * VALUE_PAIRs contain pointers to DICT_ATTR instead of containing attribute and vendor fields. This will allow nested attributes. * Some protocol specific code has been moved out into proto_* modules. More will come in subsequent versions. See proto_dhcp and proto_vmps. * Standardised internal logging macros. radlog() should not be used. See src/include/log.h * Use OpenSSL hashing functions when available. * The server now builds with no warnings on most platforms. * New RADIUS encoder/decoder, to support new formats. * Added RFC 6929 "extended attributes", via the new encoder/decoder. * Added full WiMAX support, via the new encoder/decoder. The old code could not handle some unusual corner cases.