FreeRADIUS 3.0.4 Mon 12 May 2014 15:30:00 EDT urgency=medium Feature improvements * Home server "response_window" can now take fractions of a second. See proxy.conf. * radmin now supports "show module status", as the counterpart to "set module status" * Added dictionary ericsson.packet.ccore.networks * Add %{tag:} expansion to get the tag value of an attribute. * Report 'application_name' in connections to PostgreSQL servers. FreeRADIUS connections will now appear as 'FreeRADIUS - ' in pg_stat_activity. * All config item fields are now type checked at compile time to prevent issues similar to #634 occuring again. * Modify pairparsevalue to deal with embedded NULLs better, and use the binary versions of attribute values in rlm_ldap. * "ipaddr" will now use v6 if no v4 address is present. You should use "ipv4addr" or "ipv6addr" to force v4/v6 addresses. * The above applies to "listen", "home_server", and "client" sections. * "client" sections will allow prefixes as "192.192.0/24". The old "netmask" is still accepted, but the new format is preferred. * Allow custom HTTP headers to be set for rlm_rest requests using control:REST-HTTP-Header (attributes consumed after use). * Extend format of %{rest:} expansion to allow HTTP method and POST data to be specified e.g. %{rest:POST http://example.org/api foo=bar&baz=boink}. * Add %{hmacsha1:&data &key} and %{hmacmd5:&data &key} expansions for signing data in requests. * rlm_cache now consumes its control attributes to make runtime configuration easier. * Add control:Cache-Read-Only which when set to 'yes' will make the cache module merge existing cache data, but not create new entries. * Add %{unescape:} and %{urlunquote:} expansions to reverse escaping and urlquoting. * Add support for aliases in rlm_ldap. Bug fixes * make case-insensitive regular expressions work again. * Added tests for the above * A few more talloc parenting issues * Fix delayed proxy reply handling. Closes #637 * Fix OpenSSL initialization order when using RADIUS/TLS. Fixes #646 * Don't double-quote strings in debugging messages * Fix foreach / break. Fixes #639 * Chargeable-User-Identifier, ADSL-Agent-Circuit-Id and ADSL-Agent-Remote-Id should be "octets" types in the default dictionary. * Fix typo in mainconfig. Fixes #634 * More rlm_perl fixes. Fixes #635 * Free OpenSSL memory on clean exit. * Fix [0] !* ANY - Was removing all instances of * Fix case where multiple attributes were returned from LHS of mapping, as with rlm_ldap. Fixes #652 * Fix corner case in cursor where using fr_cursor_next_by_da after calling fr_cursor_remove may of resulted in a read of uninitialised memory. * Don't SEGV if all connections to a database server go away. Fixes #651. * Fix issue where -= was not removing tagged instances of equal to (only untagged). * Fix issue where tag values were not being set on attributes created with unlang/ldap update blocks. * Create rlm_sqlcounter attributes as integer64 types instead of integer types, so large counter values can be specified. * Fix issue where specifying a dynamic client IP addresss using FreeRADIUS-Client-IPv6-Prefix or FreeRADIUS-Client-IP-Prefix may have caused a validation error. * Don't print two "&" for messages about attribute or list references. * Fix urlquote and escape to encode Unicode characters correctly. * Fix redundant-load-balance blocks to try other modules in the group if one fails. * Fix issue with rlm_pap password normalisation where 'known good' password strings stored in octets type attributes, would be sometimes misnormalised as base64. * Don't stop processing DHCP options if we find a 0x00 padding option. * Fix issue where modifying the value of an attribute created from a template with a literal value, may have resulted in the template literal being freed. * Fix parenting issues in tls code which may have resulted in memory corruption and crashes. * Fix issue in radsniff where writing to PCAP files and using -R response filters, where the requests would still be written to the PCAP for non matching responses. * Define __APPLE_USE_RFC_2292 so that the server builds with IPv6 support on OSX. * Fix LDAP group lookups for named rlm_ldap instances. Note that attribute references should be used when checking LDAP-Group attributes. e.g. if (&LDAP-Group == 'foo'). * Delayed attribute references can now be used in unlang existence checks. i.e. if (&Attribute-Name) { ... } FreeRADIUS 3.0.3 Mon 12 May 2014 15:30:00 EDT urgency=medium Feature improvements * Everything now builds with no warnings from the C compiler, clang static analyzer, or cppcheck. * rlm_ldap now supports defining the LDAP attribute name via backticked expansion (i.e. shell command) in RADIUS <-> LDAP mappings. * rlm_ldap now supports older style generic attributes. * dynamic expansions (e.g. "%{expr:1 + 2}" are now parsed when the server starts. Syntax errors in the strings are caught, and a descriptive error is printed. * Static regular expressions (e.g. /a*b/) are now parsed when the server starts. Syntax errors in the strings are caught, and a descriptive error is printed. * dynamic expansions are cached after being parsed. They are no longer re-parsed at run-time for every request. * regular expressions are now parsed and cached when the server starts. * Added the %{rest:} expansion to rlm_rest, which will send a GET request to the URL passed as the format string. Any body text will be written to the expansion buffer. * rlm_rest now available as a debian package. * When an 'if' condition statically evaluates to true/false, unlang does more static optimization. For examples, see src/tests/keywords/if-skip * All modules are marked as safe for '-C', which lets the dynamic expansion checks work in more situations. * Added 'none' and 'custom' rlm_rest body types. 'custom' allows sending of arbitrary expanded text and content-type headers. * Added "config" section to Perl. See mods-available/perl * Added '%v' which expands to the server version - Patch from Alan Buxey. * more mis-matched casts are caught in "if" conditions, and descriptive errors are printed. * Support basic response validation in radclient. This allows administrators to write local test cases for their site-specific configurations. * Removed radconf2xml and radmin "show client config" and "show home_server config". * Forbid running with vulnerable versions of OpenSSL. See "allow_vulnerable_openssl" in the "security" subsection of "radiusd.conf" * Catch underlying "heartbleed" problem, so that nothing bad happens even when using a vulnerable version of OpenSSL. * Add locking API for sql_null, linelog, and detail modules, which should improve performance and work around issues on platforms with bad file locking. * Allow DHCP NAKs to be delayed, via setting reply:FreeRADIUS-Response-Delay = 1 * Allow tag and array references anywhere attributes are allowed in "unlang". * many enhancements to radsniff, including output to collectd, ipv6 support and packet loss statistics. * Many dictionary updates (ZTE, Brocade, Motorola). * rlm_yubikey now automatically splits passwords from OTP strings. * The detail file reader is now threaded by default. This should improve performance reading the files. Bug fixes * Fix xlat expression %{attribute[n]} so that it actually returns the n'th attribute instead of the first one. * Don't parse string on RHS of update {} when using unary operators (!*). The RHS should always be ignored. * Check for more optional functions in json-c so we can Build with libjson0, which is the name of the json-c package on debian/ubuntu. * Fix issue in radmin where the main dictionaries would not be loaded which, depending on the configuration, may have caused validation errors. * Fix handling of "%{reply:3GPP-*}" * Fix rlm_perl garbage attributes * Fix oracle SQL queries, which amongst other things still used the old expansion format, which is no longer supported/parsed. * Truncate long format strings and error markers instead of omitting them. * Fix multiple attribute parsing in rlm_rest JSON. * Don't crash in rlm_rest if connect_uri is commented out in the configuration. * Don't double-escape strings to / from Perl. You may need to double-check your Perl scripts if they use "\" characters. See mods-available/perl for documentation. * Don't re-run "authorize" if a home server fails to respond. * Don't append "0x" to hex output of octets types, for xlat expansions. This is the same as v2, and makes it easier to concatenate multiple attributes of type "octets" * FreeBSD fixes for execinfo linking. * Make some of the module configurations more consistent. * Fix corner cases where STDOUT wouldn't be closed in daemon mode. * Re-enable "update coa" and originating CoA requests. * Prevent multiple threads writing to the sql query logs. * Fix zombie period calculation. Closes #579 * Properly parent VPs for talloc, when moving them in map2request. * Various fixes for talloc parent / child relationships * Allow rlm_counter to support VSAs. * Normalize return codes for many modules. "do nothing" is noop, not "ok". * Run Post-Proxy-Type Fail. Closes #576 * Fix DHCP destination port for replies to relays. Closes #591 * Do-Not-Respond policy works again Closes #593 * Proxy-To-Virtual-Server works again. Closes #596 * Build fixes for ancient systems. Closes #607, #608, #609. * %{Module-Return-Code} works again. Closes #610. * Don't increment statistics for Status-Server responses. Closes #612. * A duplicate request isn't a duplicate if the original one is marked "done". This should lower retransmissions from clients. * Fix multiple regular expression and glob memory leaks. * Don't allocate any memory in fr_fault() as it can cause malloc to deadlock. * Temporarily set dumpable flag before calling system in fr_fault() else the debugger may not be able to attach. * Set nonblock on all TCP client sockets. * Fix minor buffer overrun in mschapv2 where some attribute strings were not correctly \0 terminated. * Fix crash on authentication failure with MIT kerberos. * Fix code so that octal escape sequences aren't prematurely unescaped in rlm_sql, radclient, preprocess, and other places. This may require configuration changes, as these sequences will no longer need double escaping (\\) of the backslash. * The connection pools no longer have one connection used twice in certain rare conditions. * Use self pipes for internal signals. The code was there, but was unused. * Don't crash if there are outstanding EAP sessions and were told to exit gracefully. * Fix typo in dictionary.rfc4072 FreeRADIUS 3.0.2 Fri 21 Mar 2014 08:30:00 EDT urgency=medium Feature improvements * secret keys and LDAP / SQL passwords are now printed as '<<< secret >>>' in debugging mode. Use -Xx to see the actual passwords. * Print out more information about passwords in -Xx, including hashes, comparisons, etc. * Allow cast (and implicit conversion) of integers to IPv4 addresses * More xlats allow attribute references. This means they can operate on binary data. e.g. expr, base64, md5, sha1. * Added more tests. * The dictionaries are now auto-loaded. raddb/dictionary should no longer have $INCLUDE ${prefix}/share/dictionary * A "panic_action" can be set to have the server dump a gdb log on SEGV or other fatal error. See radiusd.conf * Add support for SHA-224, SHA-256, SHA-384, SHA-512 to rlm_pap. * Add "%{sha256:}" and "%{sha512:}" xlat functions. * Cache CUI in EAP session resumption. * templates can now have sub-sections, which will be included in the section referencing the template. * Update more dictionaries. * Added more instances of the "always" module, for all return codes. * Suppress broken NASes when proxying. Retransmits which occur more than once per second are rate-limited to once per second. * Allow '&' in more xlat expansions. * Update PostgreSQL schema and queries to record last updated time, and accounting interim. * Optimize more "if" conditions when the server loads. This will avoid work at run time. e.g. ("foo" == "bar") --> FALSE. * Allow removal of all attributes within a list with !* operator. * Allow list to list copies with request qualifiers (outer.). * Add support for ipv4 prefixes and ipv6 addresses and prefixes to %{integer:}. * allow radmin command "set module status " which can be used to forcibly enable/disable modules. * pap module now assumes Cleartext-Password if Password-With-Header doesn't have a {...} header. * Added "unpack" module. It can unpack binary data from horrible VSA formats. See raddb/mods-available/unpack * Added example IP Pool for DHCP, using sqlite. From Matthew Newton See raddb/mods-config/sql/ippool-dhcp/ Bug fixes * Fix SQL groups. * Fix operation of fr_strerror() with RE*() macros. * Don't assert if the connection we're trying to reconnect is not in_use. * Fix %{mschap:User-Name} xlat. * Allow comparisons of signed integers and of ethernet addresses. * Fix parsing of text-based ascend binary filters. * Fix a few minor Coverity and clang analyzer issues. * Log WARNING and ERROR prefixes only once, not twice. * Fix attribute truncation seen in Perl and other places. * Use correct port when DHCP relaying. * Fix behaviour on FreeBSD where sending packets from an interface bound to an IP address would fail when the server was built with udpfromto. * Don't abort() when freeing home servers on exit. * Fix edge case in pairmove() when some attributes could be over- written. * Do checks for individual sqlite v2 functions so rlm_sqlite builds correctly with more versions of the library. * In heimdal kerberos, create MEMORY ccaches on a per context basis. This prevents issues with the root ccache being used. * Fix corner case with proxying, where home server goes down. * Rate-limit "max_requests" complaint. We don't want to fill the logs when something goes wrong. * Use /dev/urandom for raddb/certs/random, if it exists. * Issue WARNING that old-style clients should no longer be used. * Auto-set secret to "radsec" for tcp+tls home servers. * Fix double free in home_server_add when there is a parse error on startup. * rlm_unix checks if the dictionaries are broken, instead of crashing * Fix potential memory corruption when normalising salted password hashes from hex, where the combined hash and salt was > 64 bytes. * Register sqlcounter attributes correctly, and other issues with it * treat 127.0.0.1/32 as being identical to 127.0.0.1 * Don't mangle error output of SQL drivers like PostgreSQL * Fix usage of "tls = ${tls}". It could previously cause problems when the reference was used multiple times. * Fix TLS session leak for incoming sockets. * Try harder to clean up memory on exit when using "-mM" * Fix memory leak when home server is down for RadSec connections * rate-limit outgoing connection attempts when the home server is down. It will retry no more than once per second. * When parsing ipv6 address prefixes, always mask off the host portion. * Fix rlm_counter so that it does not create two reply attributes. * Fix issues with DHCP Sub-TLVs where the value of the first Sub-TLV would appear corrupted, and subsequent TLVs would not appear in debug output. * Initialize scope in IP address parsing * Prevent vendor attributes and RFC space attributes from clashing in rlm_attr_filter. * Set source IP address for DHCP packets from DHCP-Server-IP-Address, or DHCP-DHCP-Server-Identifier, if we're unable to otherwise determine the source IP. * Fix POST attribute parsing in rlm_rest. * Fix JSON attribute parsing in rlm_rest. * Don't append trailing & to POST options in rlm_rest (minor). * Process HTTP 100 Continue messages correctly in rlm_rest * Fix generation of long > 512 byte POST payloads, where attribute values on the chunk boundary may have been omitted in rlm_rest. * Remove duplicate escape sequence parsing in rlm_sqlippool and rlm_sqlcounter which caused issues with escaping %. Escape sequence parsing is now handled purely by the xlat functions. * Ensure %% is treated as a string literal, and so not passed to any xlat escape functions for processing. * Correct calculation of Message-Authenticator for CoA packets. Closes #556 FreeRADIUS 3.0.1 Mon 13 Jan 2014 14:30:00 EDT urgency=medium Feature improvements * Add "timeout" to exec, and "ntlm_auth_timeout" to mschap. So that run-away child processes are caught earlier. * Allow TLS clients to use "proto = tls", in which case TLS is required. The shared secret is then set to "radsec". * More documentation in the tls virtual server. * Add "date" module for date formatting. See raddb/mods-available/date. * Added unit test suite for internal server functionality * When loading "update" sections, check if the RHS is a literal value. If so, syntax check it immediately. * Update LDAP module documentation and functionality. The generic attribute can now update lists. * Updated dictionary.extreme. * Update sqlippool to do clears as a separate transaction, and at most once per second. This should help MySQL. * Respect control:Response-Packet-Type for all types of requests. * Add support for SSL encryption to the MySQL driver. * Allow arbitrary connection parameters to be used with the PostgreSQL driver. * Changes to the OpenLDAP schema to fully expose functionality of the new LDAP module. * Update debian packaging to include a freeradius-config package. This package may be provided as a site local package to avoid fighting with the preinstalled config files. Bug fixes * Use correct field for ARP setting in DHCP. * Fix crash on debug condition (#454). * Fix a number of minor issues caught by the clang analyzer. * Set WARNING messages to yellow instead of normal text. * Correct debug colorise logic. Patch from Phil Mayers. * Encode attributes of type "ethernet". No one uses them, but it makes sense. * Work around regex initialization issues. * Fix build when linking against OpenSSL. * Print IDs as positive numbers, which helps for large DHCP XIDs. * Fix issue with sql_ippool. * sqlcounter now uses 64-bit counters, to deal with 4G overflow. * Fix issues with DHCP subsystem. * Don't build / install disabled modules, or their config files. * Fix build for OSX Mavericks, which hid the header files in a magical place. * Fix LEAP buffer issue. You should still avoid LEAP. * Mark "unknown" WiMAX attributes as being WiMAX. * Fix typo in packet decoder for fragmented extended attrs * RPM spec fixes. * Fix rlm_perl build issues when not using threads. * Enable %{Response-Packet-Type} again. * Update configuration file parser to handle "bool" consistently. * Update declarations of global boolean variables to use "bool" consistently. This fixes an issue where some modules were instantiated in "config check" mode and did not work correctly. * Make more messages debug instead of info, to avoid polluting the logs with messages that can't be fixed. * Set operator in internal unlang code to suppress spurious warning messages. * Fix debian packaging. * Added "status" to Debian init script. * Fix "update outer.request" to update the outer request. * Don't print TLS debugging messages when not in debug mode. * Correctly manage counters for "limit" sections of TCP / TLS "listen" sockets. * Fix libldap debug output. * Fix rlm_ldap tls functionality. * Initialise OpenSSL globals early to avoid issues with the PostgreSQL library. * Fix typo in sqlcounter expansion code. Fixes #463 * Overwrite previous instances of SQL-User-Name when adding it to the request. * Work around bugs in both MIT and heimdal versions of krb5_copy_context(), which caused segfaults in multithreaded mode. * Provide meaningful error messages if Heimdal krb5 is used. * Fix attribute supression in rlm_detail. * Exit with error code if child fails to complete server initialisation after forking. This allows init scripts to correctly report whether the server started ok. FreeRADIUS 3.0.0 Mon 7 Oct 2013 15:48:14 EDT urgency=medium Feature improvements * Documentation for upgrading from 2.x is in raddb/README.rst Please follow it. It will make the upgrade easier. * Moved configuration entries in radiusd.conf to make more sense. * Added the "integer64" and "ipv4prefix" data types. * Added RADIUS over TLS (i.e. RadSec). See raddb/sites-available/tls * Updated internal API to support new attributes and formats * Added code to send SNMP Traps. See raddb/trigger.conf. * Added preliminary support for Apple's Grand Central Dispatch * Added provisions for raddb/dictionary.local, for local changes. See raddb/dictionary for more details. * Added packet/s tracking. See max_pps in the "listen" section. * The %{} expansions and "unlang" conditions are now parsed at server start. Descriptive errors are produced for syntax and format errors. * Casting is now supported for "unlang" comparisons. See "man unlang" e.g. 127.0.0.1 == Framed-IP-Address. * Direct comparison of attribute references is now supported. e.g. &Foo == &Bar. This avoids stringification of the attributes. * Direct assignment of attributes is now supported. e.g. Foo := &Bar. It also works for "octets" data types. * Comparisons of IPv4 and IPv6 prefixes are now supported. The "<" operator means "within the prefix" for comparisons. * New sha1 xlat expansion (thanks to Alan Buxey) * Colourised log messages when logging to stdout. Look for yellow warnings and red errors. Doing this will save you a LOT of grief. * If the PCRE library is available, use it (insted of the POSIX functions) to process regular expressions (thanks to Phil Mayers). * -xv now displays all the features the server was built with, and the versions of the core libraries (libtalloc, libssl). Module Changes * Moved raddb/modules/ to raddb/mods-available/, and raddb/mods-enabled/, following the examples of other projects. * Additional files for each module are now in raddb/mods-config/. See raddb/mods-config/README.rst for documentation. * Moved "users" to raddb/mods-config/files/authorize * Moved "hints" and "huntgroups" to raddb/mods-config/preprocess/ * Moved eap.conf to mods-available/eap * Moved sql.conf to mods-available/sql * Moved TLS configuration for EAP into a common subsection. See raddb/mods-available/eap, "tls-config" section. * Added for MS-CHAP Change Password from Phil Mayers. See raddb/mods-available/mschap, "passchange" subsection. * Added EAP-PWD implementation from Dan Harkins * Added connection pools for modules. This unifies connection management which was previously different for different modules. * SQL now uses the connection pool. See mods-available/sql * SQL now supports arbitrary Acct-Status-Types. These changes are not compatible with 2.x. * SQL now has full support for SQLite. See raddb/sql/main/sqlite/ * SQLite supports auto-creation of new databases on server startup for bootstrapping purposes. * LDAP now uses the connection pool. The LDAP module has been completely re-written for performance and simplicity. * LDAP now caches groups. This makes multiple group checks MUCH faster. * Removed all limitations on 253 octet attributes. RFC 6929 allows for attributes up to 4K in length. * New rlm_idn module providing an expansion for performing IDNA encoding of internationalized domain names. Thanks to 'skids'. * New rlm_yubikey module to validate yubikey OTP tokens. See raddb/modules/yubikey Bug fixes * All known bug fixes from 2.2.x are included. * Removed "addport" functionality. * Removed many unused or duplicate modules. See raddb/README.rst. Internal / API changes: * All traces of the old build system have been removed. The new build system is faster and simpler. * clang is fully supported. * We now use "talloc" for memory management. A number of new features required this change. Thanks to the Samba people! * Many internal APIs have been updated to use talloc. * New API for iterating over VALUE_PAIRs. This is in preparation for attributes, in version 3.1. * No new code should directly modify any field of a VALUE_PAIR. * VALUE_PAIRs contain pointers to DICT_ATTR instead of containing attribute and vendor fields. This will allow nested attributes. * Some protocol specific code has been moved out into proto_* modules. More will come in subsequent versions. See proto_dhcp and proto_vmps. * Standardised internal logging macros. radlog() should not be used. See src/include/log.h * Use OpenSSL hashing functions when available. * The server now builds with no warnings on most platforms. * New RADIUS encoder/decoder, to support new formats. * Added RFC 6929 "extended attributes", via the new encoder/decoder. * Added full WiMAX support, via the new encoder/decoder. The old code could not handle some unusual corner cases.