1 FreeRADIUS 1.1.6 ; $Date$, urgency = high
3 * Added dictionary.rfc4372 (Chargeable User Identity)
4 * Added dictionary.rfc4675 (VLAN and Priority)
5 * Added dictionary.rfc4679 (ADSL Forum)
6 NOTE some name differences from the RFC, due to dictionary.redback
9 * Corrected typo in rlm_pap.c (closes #440)
10 * Corrected typo in src/main/auth.c (closes #437)
11 * Suppress SSL error messages if error is zero. (closes #436)
12 * Don't complain about "Error in read client certificate A"
13 if we expect to read it in the next packet. Fix based on patch
15 * Corrected nearly 30 bugs found by Coverity
16 See also http://scan.coverity.com
17 * Don't die on HUP. Instead leak memory (sorry). After a few
18 hundred HUP's, the server will have leaked a few megabytes of
19 memory, and you should probably re-start it. It's ugly, but
20 better than dying. (Closes #426)
21 * Corrected a few double free's
22 * Corrected typo in radrelay, which prevented it from working
23 * Made Firebird module build
24 * Fixed bug in PostgreSQL module that caused server crash.
25 * Fixed bug in SQL module that could cause server to crash.
27 FreeRADIUS 1.1.5 ; Date: 2007/03/05 13:13:43 , urgency=low
29 * Updated rlm_python to something usable
30 * Added experimental sql "HPW" IPPools.
31 * Added more dictionaries
32 * Dictionary files now MUST NOT be globally writable.
33 * Configuration files now MUST NOT be globally readable,
35 * Be more aggressive about freeing memory on clean exit.
36 This helps track down run-time leaks.
37 * Updated rlm_python to something usable
38 * Added experimental sql "HPW" IPPools.
41 * Corrected base64 decoding in rlm_pap
42 * Don't retransmit accounting packets. The NAS should do this.
43 * Handle Client-Error in EAP-SIM. This closes #419
44 * Port OpenSSL locking fixes from CVS head. This makes PEAP
45 more stable on some systems.
46 * Require Message-Authenticator in Status-Server packets
47 * Correct Tunnel-Medium-Type VALUEs in dictionary.rfc2868
48 * Be more aggressibe about freeing memory on clean exit.
49 This isn't strictly a bug fix, but it makes it easier to
51 * Increase buffer size for dynamic expansion, which allows
52 longer SQL qeuries. (close: #405)
53 * Use correct line number when there's a parse error in one
54 of the configuration sections. (close #421)
55 * Terminate SSL sessions in EAP on error, rather than continuing
57 * Increase buffer size to allow parsing of long octet strings
58 * Fix string termination on xlat in rlm_perl
60 FreeRADIUS 1.1.4 ; Date: 2007/01/14 00:37:15 , urgency=medium
63 * Major enhancements to rlm_pap, that make "encryption_scheme"
64 a thing of the past. See "man rlm_pap" for details.
65 * Added SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS flag to use
66 work-arounds that enable Windows Vista clients to work.
67 * Added preliminary code to support Firebird. (closes: #378)
69 * Send MS-CHAP2-Success, which makes EAP-TTLS/MSCHAP work on more
70 platforms. (closes: #402)
71 * Add a new "reply-name" directive in rlm_sqlcounter to define the
72 name of the reply attribute. (closes: #403)
73 * Added more dictionaries and attributes (closes: #408, among others)
74 * Print ntlm_auth failure reason in Module-Failure-Message
76 * radsqlrelay is able to get the DB password from a file instead
77 of command line. (closes: #395)
80 * Fix a parse error in the digest module, where malformed
81 digest requests would result in the user being accepted. Oops...
82 * VALUEs can only be defined for 'integer', to catch mistakes
83 with setting VALUEs for type 'string'.
84 * Better parsing of VALUE names, so that values starting with
85 a digit work correctly.
86 * Check return from malloc (closes: #407)
87 * Fix a double free() in rlm_eap_tls.c (closes: #404)
88 * Check return code of malloc() during initialization. (closes: #407)
89 * Fix a corner case where the proxy port isn't set either in
90 radiusd.conf or in proxy.conf.
92 FreeRADIUS 1.1.3 ; Date: 2006/08/22 23:09:20, urgency=low
95 * rlm_otp now talks to otpd for OTP verification, rather than
96 doing the work itself; this improves portability and security
97 (access to OTP token keys is now much more limited)
98 * More dictionary updates
99 * Added Oracle support to radsqlrelay
100 * Added experimental module sql_ippool. See doc/rlm_sqlippool
103 * Allow rlm_dbm to load empty check items (Bug #380)
104 * Better handling of Framed-MTU in EAP-TLS (Bug #383)
105 * Handle Access-Challenge verification properly
106 * Fixed configure/make error for Solaris (set HAVE_CLOSEFROM).
107 * Update libtool and ltdl to 1.5.22, to fix 'make install R=';
108 also improve integration by importing unmodified original
109 source (except a small patch to ltdl)
111 FreeRADIUS 1.1.2 ; Date: 2006/06/23 04:57:51 , urgency=low
114 * Allow tagged VSA's for Juniper. Closes bugs #367 and #368.
115 * Allow Ascend "abinary" format to be specified as octets,
116 (e.g. Ascend-Data-Filter = 0x010203...)
117 * Added "cipher_list" configuration to the EAP-TLS module.
118 See "eap.conf" and "man 1 cipher" for details.
119 * Added "check_cert_issuer" configuration to the EAP-TLS module.
120 See "eap.conf" for details. (closes: #346)
121 * Added "suppress" configuration entry to rlm_detail,
122 to suppress certain attributes (e.g. User-Password).
123 This closes bug #359.
124 * More dictionary updates
125 * Write SSL errors to log file, rather than stderr.
126 This closes bug #347.
127 * Allow a core dump on uid change on Linux (closes: #361)
130 * Return better error codes in SQL IODBC module. Closes bug #341.
131 * Corrected list of EAP handlers.
132 * Initialize variable in rlm_ldap.c. This fixes RedHat
134 * Escape more ldap strings, so configuration entries
135 that have magic LDAP characters don't break LDAP.
136 This closes bug #360.
137 * Updated doc/rlm_ldap. This closes bug #353.
138 * Updated redhat/freeradius.spec. This closes bug #330.
139 * Don't forcibly over-write Auth-Type in the mschap module.
140 This prevents an earlier module from forcing reject.
141 * Use the correct module reference in the authenticate section,
142 where Auth-Type wasn't explicitely specified.
143 * If there are typos in a subsection in radiusd.conf, exit
144 after printing an error, rather than continuing.
145 * Print Ascend "abinary" format as text rather than octets
147 * Silently drop packets with bad Message-Authenticators, as per RFC3579
148 * Unbreak ./configure --disable-static (closes: #350)
149 * Unbreak ./configure --prefix (closes: #354)
151 FreeRADIUS 1.1.1 ; Date: 2006/03/17 19:50:34, urgency=low
154 * Additional state checking in the EAP-MSCHAPv2 module.
155 Bug found by Steffen Schuster.
158 * More dictionary updates
159 * Additional tests and fixes for Digest module from Phillipe Sultan.
160 * Add new "phone" response mode to rlm_otp/cryptocard.
161 * Put the eap sessions into a tree, so that looking them up is very
162 fast, and no longer O(n) in the number of sessions.
163 * Install the schema examples for a set of backends with the rest
164 of the documentation.
165 * Add support for xlat expansion of attributes from LDAP.
168 * Fix rlm_perl crash. (closes: #348)
169 * Fix handling of CoA-Request packets (close #344). Also correct
171 * Fix an error on x86_64 machines when reading dictionaries.
173 * Fix compilation errors on FreeBSD and NetBSD because of rlm_otp
174 module. (closes: #314 #328)
175 * Workaround Cisco bug in State attribute handling in rlm_otp.
176 * Support LP64 for async mode in rlm_otp.
177 * Fix libtool problems on Debian with rlm_eap_peap and rlm_eap_ttls
178 modules. (closes: #75)
179 * Make "use_tunneled_reply" work properly for PEAP.
180 * Copy the whole string when getting a one-to-one-mapped attribute
181 from LDAP (closes: #261)
182 * Fix net-snmp's ucd-snmp compatibility mode.
184 FreeRADIUS 1.1.0 ; Date: 2006/01/04 05:55:19, urgency=low
187 * rlm_ldap has "set_auth_type" configuration option, which should
188 address some configuration problems when using it.
189 * Fix MIT Kerberos bug
190 * Modules can be load balanced, both in isolation and redundantly.
191 See doc/load-balance.txt for more information.
192 * rlm_perl is now marked "stable"
193 * N-tier certificate patch from Mohammed Petiwala.
194 * Copied dictionaries from the CVS head (many, many, more vendors)
195 * Enabled support for weird VSA formats, like Lucent and Starent.
196 * Support encrypted IP address and integers, for Juniper clients.
197 * Add PEAP machine authentication support in module "rlm_mschap".
198 * Support User-Password field encryption in digest mode.
199 * rlm_x99_token has become rlm_otp (with lots of changes).
200 * Add rlm_sqlcounter to the list of stable modules.
201 * Read MySQL specific options in sections [freeradius] and [client]
203 * Support the ${Cisco-AVPair[n]} syntax.
204 * Execute modules in {Pre,Post}-Proxy-Type stanzas.
205 * Add new options to radclient to run stress tests on the server.
206 * New module "rlm_sql_log" to postpone the storage of accounting data
207 in a SQL database. See rlm_sql_log(5) manpage.
208 * New program "radsqlrelay" which sends the SQL logfile according to
209 the SQL server's capabilities.
212 * #306 (HUP when built with threads, but executed with -s)
213 * #285 (more attributes in dictionary.cisco.vpn3000)
214 * rlm_digest has a number of bug fixes to authentication types.
215 * Don't leak memory in module "rlm_sql".
216 * Update the dictionaries, so that VALUEs with the same name,
217 but different numbers, aren't allowed.
218 * Queue the request before looking for available threads.
219 * Don't free the check items after we received the proxy reply.
220 * Expand config variables in included files, too.
221 * Check the return value of accounting modules and don't proxy
223 * In rlm_passwd, don't close a file stream more than once.
224 * Fix format string errors in rlm_sql.c, spotted by Primoz Bratanic.
225 * Walk the whole string in when escaping strings in rlm_ldap.
226 * Include crypt.h if it is available so we get a prototype for crypt(),
227 spotted by Konstantin Kubatkin.
228 * Removed (for almost all uses) length restrictions on vendor names
230 * Don't leak memory when proxying an Access-Challenge response.
231 * Make the sleep time user-defined, so radrelay can send more than
233 * Fix a memory leak in rlm_checkval.
234 * radclient doesn't resend countless times packets with invalid
236 * Fix segfault and mem leak in rlm_pam.
238 FreeRADIUS 1.0.5 ; Date: 2005/09/04 16:23:00, urgency=medium
241 * SQL injection attack in the module "rlm_sqlcounter".
242 * Buffer overflows in the module "rlm_sqlcounter".
243 * Expansion of variable %t may write 26 bytes beyond the buffer
244 bound. Primoz Bratanic is credited with the discovery of these
248 * Don't de-reference a NULL pointer if the auth-type is unknown
249 in the function rad_check_password().
250 * Escape more characters in the LDAP queries.
251 Bug found by Suse engineers.
252 * In rlm_sql_unixodbc, don't call rad_malloc from sql_error(),
254 * Fix an off-by-one error in the module rlm_sql_unixodbc.
255 Bug found by Suse engineers.
256 * In rlm_sql, resize the buffer for the value of SQL-User-Name.
257 * Initialize memory for a new SQL socket in the module rlm_sql.
258 * Don't add too many attributes after running an external program.
259 Bug found by Suse engineers.
260 * Fix an off-by-one error in the function getthing().
261 * snprintf() and vsnprintf() replacements were not compiled if
262 the autoconf tests didn't find the functions.
263 * Don't use vsprintf() anymore, but the replacement for vsnprintf()
264 in libradius instead.
265 * The function decode_attribute() may write beyond buffer bounds.
266 Bug found by Suse engineers.
267 * Fix a memset() in the function request_enqueue() which was
268 begining at the wrong address. Bug found by Matthias Ruttman.
269 * Fix an off-by-one error in the function xlat_copy().
270 Bug found by Primoz Bratanic.
271 * Fix other off-by-one errors in module "rlm_unix", too.
272 Bug found by Allan Bazinet.
273 * Fix a 2-byte over-run read in function rad_decode().
274 * Update thread pool queue properly.
275 * Autonconf tests try first any user-specified directory,
276 otherwise they may pick up the wrong version.
277 * Delete the autoconf tests for the libldap dependancies.
278 * Install all the regular files under the "doc" directory.
279 * Distinguish between exit code <0 (failure) and >0 (reject)
280 in Exec-Program-Wait. Patch from Thor Spruyt.
281 * Make Expiration work.
282 * Clean up the code for opening a proxy socket.
283 * When finding a realm to proxy to, if all are dead, wake them
284 if wake_all_if_all_dead is true.
285 * In radwho, print the NAS-Port as unsigned int.
286 * Use extended regex instead of basic regex in rlm_attr_filter.
287 * Catch the case where someone deletes a directory that rlm_detail
289 * Use the variable $(LDFLAGS) when linking a module.
290 * Ignore the Stripped-User-Name when a realm has the "nostrip"
292 * Add support for NT-Password in rlm_pap.
293 * In rlm_sqlcounter, use the time left to the next reset if it's
294 inferior to the time left in the counter.
295 * Calculate Message-Authenticator correctly for Accounting-Request
296 and Accounting-Response. Bug found by Paolo Rotela.
297 * Build on MAC OS X. Still need --disable-shared, though.
298 * Fix bug #255 (crash with expired CRL's, etc.)
299 * Fix quote removal of the values from a SQL database.
300 * Reap the zombie process after a command run from "Exec-Program".
301 * Allow to cancel proxy of accounting with "Proxy-To-Realm := LOCAL".
302 * Don't copy VSA's to an Access-Reject packet.
304 FreeRADIUS 1.0.4 ; Date: 2005/06/11 22:46:52, urgency=medium
306 * Fix installation problem.
307 * Increase a buffer size, so radrelay doesn't truncate values.
308 * Updates in the documentation. Patches from Thor Spruyt.
310 FreeRADIUS 1.0.3 ; Date: 2005/06/03 17:15:11, urgency=high
313 * Always escape the strings in the SQL module.
314 * Check buffer bound when input character needs escaping in
315 the SQL module. Bug found by Primoz Bratanic.
318 * Return EAP-Fail in Access-Reject, rather than an empty Access-Reject
319 * Don't send Proxy-State from home server in TTLS.
320 * Fixes for forking external programs, so the server doesn't
321 suddenly stop processing requests, or stop forking programs.
322 * radzap now works, but it's command-line options have changed
323 completely, and it's a shell script.
324 * radwho has updated command-line options, and no longer reads
326 * Fix bug in calling checkrad script with NAS port > 9999999
327 * Fix long-standing bug when both crypt and pthreads are in use
328 * Don't SEGV when rlm_sql gets 'NULL' value from request.
329 * Re-arrange code in radrelay to not duplicate accounting packets.
330 * In rlm_attr_rewrite, change the value when the attribute type
331 is different from string.
333 FreeRADIUS 1.0.2 ; Date: 2005/02/13 01:03:20, urgency=medium
335 * Novell eDirectoty support. Patch from Novell.
336 * localweb & Trapeze dictionary updates.
338 * Make "Strip-User-Name = No" work.
339 * Don't declare zero-length arrays in rlm_passwd
340 * Bug fix to make udpfromto code work
341 * radrelay shouldn't dump core if it can't read a VP from the
343 * Only initialize the random pool once.
344 * In rlm_sql, don't escape characters twice.
345 * Fix MD4 calculation on big-endian machines.
346 * In rlm_ldap, only claim Auth-Type if a plain text password is present.
347 * Treat Quintium VSAs like Cisco VSAs
348 * Locking fixes in threading code
349 * rlm_krb5 includes /usr/include/et for Fedora Core
350 * Fix post-auth REJECT stanza processing for rejections from external
351 processes or home RADIUS servers
352 * Fix building on gcc-4.0 by not trying to access static auth_port from
354 * Fix building SNMP support on Solaris 9, which needs -lkstat
356 FreeRADIUS 1.0.1 ; Date: 2004/09/02 10:52:03 , urgency=high
358 Denial-of-Service Security Fix
359 * Fix two remote crashes and a memory leak in RADIUS packet
363 * Fix premature "success" during EAP/TLS handshake.
364 * Dictionary handling now complains about identically named
365 values with different values, and rejects dictionary
366 entries with bad data
367 * Update dictionaries to deal with the above change.
369 FreeRADIUS 1.0.0 ; Date: 2004/07/17 06:31:32, urgency=low
372 * Fix LDAP dictionary map loading.
373 * Check login time allowance to packet timestampe where available.
374 * Compilation fix for machines withouth <pthread.h>.
375 * Man page improvements.
376 * Grab latest config.sub and config.guess (2004-03-12).
379 * Make IPv6 support work better.
380 * Updated 3com dictionary.
381 * Fixed MD5 code to be more portable.
384 * Updated SQL onoff query
385 * Updated Nomadix, RedBack and Valemont dictionaries.
387 * Don't complain about ports we're listening on when HUP'd.
388 * Permit -i to work for radclient.
389 * Fix bug in new proxy code.
390 * rlm_passwd is now a little friendlier.
392 Non source-code changes
393 * Preliminary tests indicate that the server builds and runs on
394 Interix (SFU on Windows XP).
395 * EAP module configuration is now in "raddb/eap.conf", as it was
397 * Updated GPL boilerplate in the source.
398 * Added new RFC's to doc/rfc/
399 * Added more "man" pages for many of the modules. Many of the
400 'doc/rlm_*' files have been deleted, and replaced with 'man' pages.
401 * Added many new dictionaries: 3GPP, 3GPP2, Propel, Karlnet,
402 Sonicwall, Navini, Bristol University, Valemont, Mikrotik.
403 * doc/configurable_failover is now understandable by mere humans.
404 * Update scripts/rc.radiusd with examples of how to deal with
405 shared library issues.
407 * Updates to configure scripts for MySQL.
408 * Updated doc/tuning_guide, with comments about SQL.
410 Core feature improvements
411 * Many, many minor bug fixes and feature enhancements.
412 * Added "reject" action in configurable failover for modules
413 * Added a "listen" directive, which supersedes the old
414 "bind_address" and "port" directives. "listen" allows much
415 finer-grained control over what IP's, ports, and packets the
416 server pays attention to.
417 * The proxy code has been updated to work properly, and to
418 allocate new sockets for proxying packets when there are more
419 than 256 requests outstanding to a home server. Many thanks
420 to Stephen Jaeger for help in debugging the new feature.
421 * Regular expression matches in brackets can now be referenced
422 as in Perl, via %{1}, %{2}, etc.
423 * added ability for mschap module to use ntlm_auth, to perform
424 MS-CHAPv1 and MS-CHAPv2 authentication against a Windows
426 * Check return value from registered xlat functions. If return
427 value is 0, treat the attribute as not found. This lets things
428 like %{sql: select... :-FAILED} work.
429 * Realms can now be configured to ignore DEFAULT and NULL
430 realms. This makes prefix/suffix realms co-exists a little
432 * Added red-black tree implementation to src/lib. The
433 dictionaries now use it, rather than singly linked lists. Tests
434 indicate that the server is up to 30% faster.
435 * Updated MSCHAP module to be able to better deal with Windows
436 machines which put a username with domain into User-Name, but
437 which use only the username to create the MS-CHAP-Response.
438 * Made "hints" file more generic and flexible, without changing
440 * Enhanced configuration file variable handling. See
441 doc/variables.txt for details.
442 * Checks for OpenSSL now enforce version number, and are common
443 across all modules, rather than being duplicated.
444 * Implement "udpfromto", which allows the server to work better in
445 LVS. Code from Jan Berkel and Miquel van Smoorenburg. To use
446 it, do: ./configure --with-udpfromto=yes
447 * Re-arranged "walk over cached requests" code for clarity.
448 * The server now keeps more SNMP statistics about the packets it
450 * De-coupled the queue of input requests from the pool of threads.
451 This allows "spikes" of requests to be queued, even though all
452 threads are busy. This change significantly increases the
453 servers ability to process large numbers of requests on a
455 * Re-arranged the internal "core" request handling code, to
456 make a little more sense.
457 * Removed support for Replicate-To-Realm. Use radrelay.
458 * Print & parse unknown attributes as Attr-%d, Vendor-%d-Attr-%d,
459 or VendorName-Attr-%d.
460 * rlm_passwd is now marked "stable", and has many bugs fixed.
461 * More flexible configuration for rlm_ldap.
462 * New implementation of parser for Ascend's data filter
463 attributes, that is now thread-safe and GPL'd.
464 * Preliminary (not entirely complete) support for IPv6 attributes,
466 * Added support for rejected packets to run an Post-Auth-Type REJECT
467 stanza instead of skipping post-auth entirely.
468 * Added support for %{*:Packet-Type} translation. (Not for %{check:})
469 * Added support for %{check:Attribute-Name} to go with
470 %{request:Attribute-Name} and the like.
471 * Add support to rlm_sql for post-authentication query execution.
472 * Add support to rlm_sql for accounting_update_query_alt
473 * Add support for supplementary groups of switched-to user
474 * Add support for xlat-ing backquoted reply values from SQL queries.
475 * Add Public Domain MD5 implementation by Colin Plumb
476 * Add Public Domain MD4 implementation by Colin Plumb and
478 * Remove smbdes.c from libradius, and add to rlm_mschap and
480 * Replace GPL'd snprintf.c in libradius with LGPL'd snprintf.[ch]
482 EAP-module feature improvements
483 * Allow checking of EAP identity against certificate.
484 * EAP-TLS now checks Certificate Revocation List
485 * Added EAP-TTLS support in rlm_eap. Tested with many clients,
486 and with tunneled PAP, CHAP, MS-CHAP, MSCHAPv2, EAP-MD5,
487 EAP-MSCHAPv2, and EAP-GTC.
488 * Added EAP-PEAP support, with tunneled EAP-MSCHAP-V2, and EAP-GTC.
489 Patch from Masao Nishiku. (Many, many thanks!)
491 * Enabled proxying of the authentication request which is tunneled
492 inside of PEAP and TTLS.
495 * Add support to checkrad.pl for mikrotik-brand NASs over SNMP
496 * Added rlm_ippool_tool, by Edwin Groothuis.
497 * Updates to radclient, so that you can specify multiple '-f'
498 options, and it will send those packets in parallel. This
499 allows for significantly higher packet rates when load testing.
502 * Fix a bug in the attr_filter module, which would throw away
503 the tag from tagged attributes.
504 * Bug fixes to thread handling from Malcolm Caldwell.
505 * Fixed a bug in libltdl which printed the wrong error message
506 when trying to link to a library. Found by Paul Stewart.
507 * Correct error condition in rlm_krb5. Patch from Jon Moore.
508 * Updates for 64-bit systems.
509 * Patch to make ctime_r work on non-compliant platforms.
510 Patch from Oliver Graf.
511 * Updates to rlm_ippool for stability.
512 * Catch packets which are just about 4K in size.
513 Bug found by Nils-Henner Krueger.
514 * Many fixes to the SQL module & sub-modules.
516 FreeRADIUS 0.9.3 ; Date: 2003/11/20 20:15:48, urgency=high
518 * Change rlm_eap to not log an error if given a non-EAP packet
519 * Fix rlm_ippool's call to pod2man for perl versions before 5.6
520 * Fix a remote DoS and due to mis-handling of tagged attributes,
521 and Tunnel-Password attribute.
523 FreeRADIUS 0.9.2 ; Date: 2003/10/14 19:00:09, urgency=low
525 * New rlm_ippool code to fix IP leaks
526 * New rlm_ippool_tool for manipulation of rlm_ippool databases
528 * Change radrelay to reject records without an Acct-Status-Type attribute
529 * Change rlm_counter to reject packets which predate last server reset
530 * Change version output to include GNU GPL information
531 * Change rlm_ldap to output bad search filters
533 * Fix compilation of various modules when not building with pthreads
534 * Fix segfault due to poorly initialised value in rlm_mschap
535 * Fix to only reject packets once
536 * Fix rlm_exec to work when wait=no
537 * Fix rlm_attr_filter to work in post-proxy (as intended)
538 * Fix rlm_sql to only try to load SQL drivers
539 * Fix to orrectly limit size of RADIUS packets
540 * Fix usage information to output to stdout when used with -h flag
541 * Fix configure to assume gethostbyname is BSD-Style on FreeBSD
543 FreeRADIUS 0.9.1 ; Date: 2003/09/04 14:56:34, urgency=low
545 * Replicate-To-Realm is deprecated, and hence no longer documented
546 * Document rlm_detail support for authorize and post-auth sections
547 * Improve slightly MySQL accounting record SQL query
548 * Opaquefied CHAP-Challenge
549 * Add attributes to Nomadix dictionary
550 * Fix rlm_exec's parsing of non-attribute return values
551 * Fix for a segfault while reading config files
552 * Fix for a segfault regarding hostname lengths
553 * Fix for a segfault while reading deprecated config files
554 * Fix compilation of radiusd.c when threads are disabled
555 * Recover from inability to relay
556 * Stop complaining in error log when a system call is interrupted.
557 * Don't print binary CHAP-Passwords into the logs
558 * Successfully detect GNU dbm >= 1.8.1's dbm compatibility library
559 * Fix rlm_unix to deal with requests without a username
560 * Fix "uninmplemented function" crash in postgresql driver on -HUP
561 * Revert INTERVAL types to BIGINT in postgresql example schema
562 * Fix radrelay to notice when it's out of IDs
563 * Fix radrelay to correctly skip bad attributes
564 * Fix radrelay to not leak IDs when discarding packets
565 * Fix configure to correctly identify systems without SYSV or GNU-style
566 gethostby{addr,name}_r.
568 FreeRADIUS 0.9.0 ; Date: 2003/07/04 21:01:29, urgency=low
570 * Many, many, bug fixes and feature enhancements.
571 * radrelay now updates packet 'id' on retransmissions.
572 * More checks for thread-safe functions.
573 * Fix CHAP related buffer overflow (ouch!), thanks to Masao NISHIKU.
574 * Issue warnings if deprecated configuration files are used.
575 * rlm_passwd can now add items to the reply, request, or config items.
576 * The rlm_digest, rlm_exec, and rlm_ippool modules are now marked
577 as 'stable', and included in the default build.
578 * Removed 'raduse'. No one has used it for years.
579 * Massive fixes for Debian packaging.
580 * radclient can now send "disconnect" packets, to NASes which
581 support it. The server, however, CANNOT send disconnect packets.
582 * Made Auth-Type, Acct-Type, etc. names consistent across
583 dictionary files and radiusd.conf. The old (inconsistent) names
584 are still allowed for backwards compatibility.
585 * Cleaned up problems with the rlm_sql module.
586 * Updates to the rlm_ldap module.
587 * rlm_mschap no longer reads SMB password files. See rlm_passwd,
589 * Changed default entry in the 'users' file to 'Auth-Type = System',
590 to allow EAP and Digest authentication to work automagically.
591 * Support for Cisco LEAP.
592 * Added many new dictionaries (Extreme, Wispr, ERX, Netscreen...)
593 * Removed support for ATTRIB_NMC. It is now handled (better)
594 in a different manner.
595 * Dictionaries have been moved from /etc/raddb to /usr/share/freeradius
596 * Many documentation updates
597 * Ignore whitespace-only lines in the 'users' file.
598 * Patch to fix 'rlm_realm' from returning the DEFAULT entry when
599 we are looking for the NULL entry and it doesn't exist. Bug
600 noted by Nathan Miller.
601 * Disable child process spawning if we don't have threads.
602 The code doesn't work, so it's better to force the server
603 to run in single-process mode.
604 * New rlm_exec module, which allows a more generic way of
605 executing external programs.
606 * Preliminary large file support in 'configure' and in the server,
607 to support 2G+ detail files.
608 * Install documentation into /usr/local/share/doc/freeradius
609 * New/updated dictionaries for RedCreek, Bintec, Alcatel,
610 ITK, Telebit, and Cabletron.
611 * Updates to allow building on MAC OSX.
612 * Add support for Acct-Type,Session-Type and PostAuth-Type
613 * Removed builddbm. It hasn't been used for ages.
614 * Added new post_proxy section, based on patch from Chris Brotsos.
615 * rlm_counter shouldn't reset the counters on instantiation,
616 if the reset is set to 'never'.
617 * Significant updates to the rlm_python and rlm_perl modules
618 * Fix the rlm_pap module to handle password lengths properly.
619 * Do SQL 'close' on bad sockets, to prevent descriptor leaks
620 * Case insensitivity option for rlm_radutmp
621 * New pseudo-round-robin load balancing for realms.
622 * Suppress empty SQL queries.
623 * Include strong PRNG
624 * Create 'snmp' configuration directive, so that we can disable
625 SNMP at run time, even if it's built into the server.
626 * Refresh realm as 'active' when we see a response from it,
627 Based on a patch by Angelos Karageorgiou.
628 * Don't core dump if Status-Server is received, but it's disabled.
629 * Support more variants of character fields in Oracle.
630 Patch from Stocker Gernot.
631 * Better parsing of dictionary files.
632 * Alteon web switch dictionary, from Thomas Linden
634 FreeRADIUS 0.8 ; Date: 2002/11/18 15:37:24, urgency=low
636 * Added Oracle-specific queries.
637 * Updated SQL queries to match schema.
638 * PostGreSQL reconnect patch.
639 * Added documentation on how to build on MAC OSX.
640 * Allowed SQL module to ignore unknown Acct-Status-Type values.
641 * Updated PostGreSQL queries and schema.
642 * Updated the log rotation configuration files.
643 * Colubris and updated Nomadix dictionaries, from Marko Myllynen.
644 * Normalized error messages from the SQL modules, so that they're
646 * Added Suse specific directory and configuration files, from
648 * SQL fail-over patch, so that the module returns FAIL if
649 the back-end database is down. Based on a patch from
651 * Cleaned up the internal handling of the configuration
652 information, in preparation for better handling SIGHUP.
653 * Updated rlm_krb5 configuration to better find it's libraries
655 * radclient now complains if it receives a reply from a machine
656 other than the one to which it sent the request.
657 * Updated Postgresql SQL queries to get the operator, too.
658 * Added Juniper dictionary.
659 * Added Cisco VPN3000, VPN5000, and BBSM dictionaries.
660 * New platform-neutral 'rc.radiusd'
661 * Configuration files with private information get chmod'd
662 0600 after installation.
663 * Preliminary support for clean shutdowns when a SIGTERM is
665 * SNMP timeouts for checkrad, so there will be fewer situations
666 where it hangs for 30 seconds...
667 * Added code to clean up modules and memory when asked to exit
669 * Removed all need for the old-style 'naslist' and 'client' files,
670 and noted that they are deprecated.
671 * Added support for Status-Server packets, stolen shamelessly
672 from Cistron RADIUSD. This is despite the RFC's saying such
674 * Bug fixes to rlm_dbm.
675 * Updates for checkrad, max40xx routine, from Aleksandr Kuzminsky.
676 * Disable caching of passwords for the Unix module. It was
677 causing too much confusion.
678 * Fix a memory leak when proxying Authentication-Request's
679 * Attributes which are not found in the dictionary are now of
680 type 'octets', instead of 'string'.
681 * Support for "round-robin" load balancing, when proxying requests
682 to multiple servers for one realm.
683 * Minor changes for better HPUX support.
684 * Updated the documentation and README's
685 * Made FreeTDS build ONLY after hand-editing, as the FreeTDS
686 libraries are in a state of flux, due to active development.
687 * Fixes to help build the server on MAC OSX
688 * Cisco VPN 3000 dictionary, as posted to the list by Chris Deramus.
689 * Fix EAP problems with retransmission, from Rainer Weikusat.
690 * Updates to the Oracle module, from Andrea Gabellini.
691 * In xlat, Unix timestamps are unsigned ints.
692 * Security fixes for the Kerberos Module.
693 * New 'post-auth' section, to do additional processing of
694 requests after they've been authenticated.
695 * doc/aaa.txt describes how the server works.
696 * More uniform encoding/decoding of passwords, so that they will
697 be seen as clear-text where possible.
698 * radwho and radzap now read 'radiusd.conf' to discover where the
699 radutmp files are located. Patch from Andrea Gabellini.
700 * Preliminary 'expression' module, to allow you to do cool things
701 like: Session-Timeout = `%{expr:3600 - %{sql:SELECT ...}}`
702 * Added ability to do xlat on check items, and reply items,
703 so that the value of the reply attributes can be dynamically
705 * Added MIBs, taken from the RFC's. This makes SNMP queries to
706 the server a little easier to set up.
707 * Don't SEGV when we receive a packet which is larger than the
708 size claimed in the RADIUS portion. Patch from Vaughn Skinner.
709 * SNMP patches from Harrie Hazewinkel.
710 * Added Altiga dictionary, from Calum <calum.aug02@umtstrial.co.uk>
711 * New Rewrite-Rule for rlm_attr_rewrite, to selectively choose
712 which rewrite rule is performed, and when.
713 * Minor bug fixes for radrelay.
714 * Bug fixes in SQL and sub-modules.
715 * Major updates to dialup_admin.
716 * Fixed handling of tagged string attributes, so that the server
717 doesn't go off into never-never land.
718 * Cleaned up experimental rlm_smb, so that it builds on more
720 * Don't over-write request->reply->vps with the Reply-Message,
721 when doing authentication rejects with Exec-Program-Wait.
722 * Added 'instantiate' section, so that modules like 'expr',
723 with only an 'xlat' function can be registered.
724 * Allow '{' and '}' in xlat'd strings.
725 * C++ compatibility patch from Andrey Kotrekhov, for libradius.
726 * Automatically decrypt/encrypt User-Password, so that debugging
727 mode will print out the text password, and not the random
728 garbage it previously showed.
729 * Cleaned up header files and function prototypes for the SQL
732 FreeRADIUS 0.7 ; Date: 2002/07/26 18:01:50 , urgency=high
734 * Allow attributes of type 'date' to be sent in outgoing packets.
735 Bug found by Loh John Wu <ljwu@sandvine.com>
736 * Add 'Realm' attribute, even if it's a LOCAL realm.
737 Bug noted by Chris Brotsos.
738 * Added experimental SMB authentication module, which uses
739 PAP passwords to authenticate against an NT-Domain.
740 NT/LM-passwords are not currently supported.
741 * More documentation for rlm_passwd, rlm_mschap, and rlm_digest.
742 * 'configure' changes to better find sem_init and friends.
743 * Allow the use of previously installed libtool, and libltdl.
744 This appears to help a lot on FreeBSD.
745 * Fixes to work on non-threaded builds.
746 Patch from Rainer Weikusat.
747 * SQL now re-connects to the server, if the connection is lost.
748 Currently only MySQL is fixed, but other patches will follow.
749 Patch from Todd T. Fries.
750 * Added experimental use of dynamicly translated variables,
751 CallBack-Number = `%{request:Calling-Station-Id}`
752 sets the value of the CallBack-Number attribute to the value of
753 the Calling-Station-Id in the original request.
754 * Cute hack: Allow regex matching on IP addresses, by placing
755 the string representation of the IP address (1.2.3.4) into
756 the internal data structure. This allows things like
757 NAS-IP-Address =~ "^192\.168", which may be useful.
758 * Add documentation for experimental rlm_dbm module.
759 * Added experimental Perl module.
760 * Added the relevant IETF RFC's (standards documents) to 'doc/rfc',
761 along with some simple perl scripts to convert them to cross-
763 * Updated the experimental Python module.
764 * Added Cisco SSG VSA's
765 * When rejecting authentication due to external Exec-Program, do
766 NOT free the reply pairs, as the server core will take care of
767 doing that. Bug noted by Thomas Jalsovsky
768 * New experimental module: rlm_cram
769 Supports APOP, CRAM-MD5, CRAM-MD4, CRAM-SHA1 with it's own
770 VSA's. This module may be used for SMTP/POP3/IMAP4 server
772 * Make Exec-Program and Exec-Program-Wait work in debugging mode.
773 * Finalize the radrelay additions, based on Cistron RADIUS
774 Patches from Simon <lists@routemeister.net>
775 * Fix issues with linking, by making libradius shared.
776 * Fix issues with MD4, MD5, SHA1, and use of OpenSSL
777 * Update rlm_x99_token module to compile.
779 FreeRADIUS 0.6.0 ; Date: Date: 2002/07/03 14:16:33 , urgency=high
781 * Many bug fixes. For explicit details, see:
782 http://www.freeradius.org/cvs-log/
783 * Change to the user/group specified in the config file in all
784 modes ( debug and daemon ).
785 * SQL sockets are rotated so that all are used, to prevent the
786 SQL server timing out and closing unused sockets. Patch from
788 * Sybase driver from mattias@nogui.se.
789 * Modules are now versioned.
790 * Delete garbage Proxy-Reply attributes sent by the home server
791 before performing our own reply.
792 * Fix race conditions when duplicate packets resulted in a request
793 being processed by two threads, at the same time.
794 * Add '-d' command-line option to radwho
795 Bug noted by Matthew Schumacher
796 * Corrected issue that when a home server never replied to a
797 proxied request, the server may die.
798 * In SQL, look in radcheck, if not found there, try radgroupcheck.
799 Patch from Thomas Jalsovsky.
800 * Set sql user name for ALIVE accounting packets, too.
801 Patch from Simon <lists@routemeister.net>.
802 * Use port-specific checking for realms, now that we can proxy to
803 different auth/acct servers for the same realms.
804 Patch from Eddie Stassen.
805 * Minor updates to encrypted tunnel passwords.
806 * Default 'run_dir' is now /var/run/radiusd, not var/run.
807 /var/run is writeable only by root, and radiusd may be run suid.
808 * Modules are now versioned, so that upgrading the server
809 ensures that the new modules are installed.
810 * Fix sql code, so that magic SQL characters don't get the
812 * Remove references to "UNKNOWN-NAS" in log messages.
813 * Properly handle fork() and obtaining child processes exit
814 status when using threads. (pthread is broken w.r.t. signals)
815 * Correct code which would send erroneous reject, when the reject
816 was delayed, and a new request came in.
817 * Fix race condition where proxied requests would sometimes never
818 be re-sent. Bug noted by Eddie Stassen.
819 * Corrected LDAP3 schema
820 * Implemented Digest authentication, as per IETF document
821 draft-sterman-aaa-sip-00.txt, to perform authentication against
823 * If no password or group files have been specified in the config,
824 use the standard system calls to find them, rather than giving
825 up. Patch from Steve Langasek.
826 * Return Proxy-State attributes in a delated Access-Reject
827 * Corrected 'session zap' logic, when an old and unused session
828 is deleted from the databases. Accounting packets with garbage
829 Client-IP-Address attributes should no longer be a problem.
830 * Bug fixed in LDAP attribute map, for MS-CHAP related attributes.
831 * Fixes to the EAP module to work better with XP.
832 * Support for MS-SQL, using the FreeTDS library,
834 * New operators =* and !*. See 'man 5 users' for details.
835 * Added translation for %{config:section.subsection.item}, to
836 allow run-time translation of internal configuration parameters.
837 * New rlm_sqlcounter module, to keep counters based on SQL data.
838 * Fix rlm_realm, to allow seperate proxying of accounting and
839 authentication requests.
840 * Bug fixes in PostgreSQL back-end, from Andrew Kukhta.
841 * Increase internal buffers, to allow large SQL query strings.
842 * Added debug level 3 (-xxx), where debug messages have time stamps.
843 * Fix 'radwho' to use the correct radutmp file, as found by
844 'configure' (but radwho still doesn't read radiusd.conf)
845 * Fix bugs in tunnel (tagged attribute) code, which would prevent
846 tagged attributes from being generated correctly in a packet.
847 * Build only 'stable' modules by default. Experimental modules
848 require --with-experimental-modules to be passed to 'configure'
849 * New module rlm_ippool, to do server-side IP pooling.
850 * Fix rlm_eap module for portability, to work on non-x86 platforms.
851 * Re-connect to the LDAP server if the connection idles out
852 * Increased the visibility of the warning messages when doing
854 * Fixed EAP module to use 16-bit integers, so that it will
855 work on big-endian architectures.
857 FreeRADIUS 0.5.0 ; Date: 2002/03/14 22:18:22, urgency=medium
859 * Many bug fixes. For explicit details, see:
860 http://www.freeradius.org/cvs-log/
861 * Added Foundry dictionary, from Thomas Keitel
862 * Fix a logic bug in the 'walk over request list' code, which
863 would sometimes result in a request being deleted while it
864 was still being processed. Found by Rainer Clasen
865 * New 'tuning' guide, for optimizing the server's speed.
866 * The default ports are now 1812/1813, which is the standard.
867 * Fix a bug which would hang the server when many SQL connections
868 were open. Found by Cvetan Ivanov <zezo@spnet.net>
869 * Updated MySQL schema, with sanity checks, based on a schema from
870 Thomas Huehn <huehn@eozaen.net>
871 * Added 'Aptis' (Nortel CVX) dictionary.
872 * Added Ipv6 attributes (as 'octets' type for now)
873 * 'xlat' capability for SQL, so other modules can do SQL queries.
874 * We don't need a shared secret for LOCAL realms.
875 * Added better description of internal variables.
876 * Configurable fail-over to DEFAULT realm. Sometimes we don't
877 want to use the DEFAULT realm, if all configured realms are
878 marked dead. From Rainer Clasen.
879 * new configuration items 'max_attributes' and 'reject_delay'
880 If the packet contains too many attributes, it can be rejected.
881 We can also delay sending an Access-Reject, which slows down
883 * Updates to redhat scripts and spec file, from Marko Myllynen.
884 * Python module (EXPERIMENTAL) from migs paraz <mparaz@yahoo.com>
885 * Add ability to find *best* match when comparing attributes.
886 If there is more than one attribute in a request and the first
887 one doesn't match, go check the second one, instead of failing.
888 * unixODBC support for SQL, from Dmitri Ageev <d_ageev@ortcc.ru>
889 * Use thread-safe versions of library calls. This work is still
891 * New rlm_passwd module, to allow general parsing of passwd-style
893 * Preliminary EAP-TLS support.
894 * Updated LDAPv3 schema
895 * Correct checks for Odbc, and fix bugs in the module.
896 Andreas Kainz <aka@maxxio.at>
897 * MAN page fixes and updates
898 * Added PHP web interface 'dialup_admin'
899 * Password = "UNIX" or "PAM" backwards compatibility removed.
900 * Use the operators in the SQL schema and queries, and bug
901 fixes in the SQL module.
902 Randy Moore <ramoore@axion-it.net>
903 * fgetpwent() compatibility, for systems without it,
904 from Daniel Carroll <freeradius@defiant.mesastate.edu>
905 * Added PAP authentication module, as a step to removing
906 most authentication handlers in other modules.
907 * Send a Access-Reject after max_request_time
908 * Multiple fixes in the LDAP module.
909 * Quintum dictionary by Jeremy McNamara <jj@indie.org>
910 * Preliminary EAP Module with MD5 support
911 Contributed by Raghu <raghud@hereuare.com>
912 * Better sanity checking for bad VSA's when receiving a packet
913 * new 'xlat register' so that attribute values may be pulled
914 out of configurable databases at run-time.
915 e.g. %{ldap:ldap:///dc=company,dc=com?uid?sub?uid=%u}
916 * Minor fixes to debian package rules
917 * Attribute 'Password' deprecated in favor of 'User-Password'.
918 * MS-CHAP and MS-CHAPv2 MPPE support added.
919 Contributed by Takahiro Wagatsuma <waga@sic.shibaura-it.ac.jp>.
920 * X9.9 token enhancements (several).
922 -- Alan DeKok <aland@ox.org>
924 FreeRADIUS 0.4.0 ; urgency=low
926 * Allow the MS-CHAP module to work, and to read /etc/smbpass
927 3APA3A <3APA3A@SECURITY.NNOV.RU>
928 * Remove the server requirement that one of User-Password
929 or CHAP-Password exist when doing authentication. These
930 checks should be handled by the modules. This change
931 also prepares us for EAP.
932 Patch from Raghu <raghud@hereuare.com>
933 * Make NAS-Port-ID in radwho, raduse, etc. unsigned,
935 Patch from John Morrissey <jwm@horde.net>
936 * Allow \t and \n inside of configuration strings.
937 Frank Cusack <fcusack@fcusack.com>
938 * X9.9 Challenge-Response token card support.
939 For now, only CRYPTOCard tokens are supported.
940 Frank Cusack <fcusack@fcusack.com>
941 * Fix core dump on Solaris in radwho.c
942 Patch from Eddie Stassen <eddies@saix.net>
943 * Fix leak / core dump in Oracle module.
944 * Fix memory leak in rlm_counter
945 Kostas Kalevras <kkalev@noc.ntua.gr>
946 * "LOCAL" realms do not need to have an entry in the 'clients'
947 file. Philippe Levan <levan@epix.net>
949 -- Alan DeKok <aland@ox.org>
951 FreeRADIUS 0.3.0 ; urgency=low
953 * Added ability to send debug messages to the log file, when
954 running in daemon mode.
955 * Miscellaneous fixes to get Debian packaging working.
956 * When trapping a signal, don't SIGKILL children on a SIGTERM,
957 SIGTERM them, instead. This allows Exec-Program scripts to
958 catch the signal, and finish processing, instead of dying.
959 Bug noted by Michael Chernyakhovsky <magmike@mail.ru>
960 * Increased limit on length of user name read from /etc/passwd,
961 to match the maximum allowed by RADIUS.
962 Bug noted by "Gonzalez B., Fernando" <fgonzalez@manquehue.cl>
963 * Configurable fail-over when proxying packets. If the
964 home server doesn't respond to a repeated proxied request,
965 it's marked as 'dead', and the next one in the list is used.
966 Patch by Eddie Stassen <eddies@saix.net> and <spirn@21cn.com>
967 * Pass Access-Challenge attributes through the server, in
969 Raghu <raghud@hereuare.com>
970 * More fixes for RFC compliance on the Message-Authenticator
971 Raghu <raghud@hereuare.com>
972 * Merged OSFC2/OSFSIA authentication patches from Cistron.
973 (Bug # 104) The patches are not well tested, however.
974 * IBM DB2 UDB V7.1 SQL driver, contributed by
975 Joerg Wendland <wendland@scan-plus.de>
976 * Fix the IP + Port address assignment.
977 Bug found by "John Padula" <john_padula@aviancommunications.com>
978 * Patch to avoid smashing the contents of Ascend binary filters.
979 Michael Chernyakhovsky <magmike@mail.ru>
980 * Create and Validate Message-Authenticator attribute, in
982 * Initialize variables properly in rlm_attr_filter.
983 Patch from Andriy I Pilipenko <bamby@marka.net.ua>
984 * Renamed RedHat init script from 'radiusd.init' to 'radiusd'.
985 This allows it to work properly with the RedHat rc system.
986 Patch from Christian Vogel <chris@amor.iksys.de>
987 * Fix the configure script checks for PostgreSQL, so that
988 they use the 'test' command properly.
989 Bug found by Robert Haskins <rhaskins@ziplink.net>
990 * Change instances of 'assert' to 'rad_assert', so that it
991 can log the error to the standard radius log files.
992 Patch from Vesselin Atanasov <vesselin@bgnet.bg>
993 * Patch to prevent segv when freeing results, from
994 Tomas Heredia <tomas@intermediasp.com>
995 * Added support for Exec-Program to acct. Bug found by
997 * Corrected rlm_files so that raddb/acct_users works
998 * When doing synchronous proxying, update proxy next try
999 entries, so that the server doesn't eat CPU time.
1000 Raghu <raghud@hereuare.com>
1001 * Add primitive dictionary.nomadix <CBoyd@apogeetelecom.com>
1002 * Log messages to console, if the logger hasn't been
1003 initialized. <vesselin@bgnet.bg>
1004 * Log invalid user for proxy rejects, too. <help@visp.net>
1005 * Fixed Expiration attribute handling.
1006 * Added code to handle Ascend-Send-Secret and Ascend-Receive-Secret
1007 * Removed non thread-pool code. If we have threads, we now force
1008 the use of thread pools.
1009 * Update version number
1010 * correct bug where proxied accounting packets would never have a
1011 reply sent back to the NAS, or the reply would be sent twice.
1013 -- Alan DeKok <aland@ox.org>
1015 FreeRADIUS Alpha 0.2.0, July 30, 2001.
1017 * call openlog() again when using PAM, to get the correct log
1019 * Update child thread code, to minimize race conditions.
1020 * Make thread pools the default. Using plain child threads is NOT
1022 * Ignore SIGPIPE to get ride of crashes when using ldap.
1023 * Update proxying code to work better.
1024 * Platform independent pthread_cancel()ling
1025 * Fix 'unresponsive child pid' erroneous warning messages.
1026 * Many changes to get various SQL modules working.
1027 Note that there may still be some issues with Oracle.
1028 * Added configure options 'with-rlm-FOO-include/lib-dir', so that
1029 lower-level rlm_FOO modules can be configured via the top-level
1030 configuration file. This isn't completely done yet.
1031 * Fix check for shared library using libtool info, instead of
1032 assuming extension being ".so".
1033 * Fixes for HPUX. We probably need more.
1034 * Many additional bug fixes and changes.