Feature improvements

Allow coa home_servers to be derived from client
sections if a coa_server section is provided.
Automatically determine the correct port if no port is
provided for a home server.
Allow foreach to operate over lists.
Add compile time features to ${feature.*} and versions
of core libraries to ${version.*}. Feature and version
names match output of radiud -xv. %v is now deprecated.
Add support for PATCH method in rlm_rest.
Validate more module xlats on startup, and warn if an
xlat expansion is found in a double quoted config item
which will not be expanded.
Add support for sub-second timeouts in rlm_rest.
Add support for connection timeouts in rlm_rest.
Add %{jsonquote:<str>}xlat to escape strings for insertion
into json documents.
Add %{ldapquote:<str>} xlat to escape strings for insertion
into ldap DNs.
Add %{explode:&ref <char>}, splits value of &ref on
<char> and creates new &ref type attributes with the
fragments.
Allow rlm_ldap to use attribute references for base_dn and
filter config items. The attribute references are not
escaped, allowing DNs and filters to be created dynamically.
Add %{nexttime:[<int>]h|d|w|y} to calculate the number of
seconds before the next <int>hour(s), day(s), week(s),
or year(s).
Allow the left side of update sections to be xlat expansions.
The result of the expansion is then used to reference the
attribute to be modified.
Added %{lpad:&Attribute-Name 7 x} and rpad. These produce
fixed-width output strings, with padding to the left (lpad)
or the right (rpad).
For some SQL drivers (MySQL, sqlite) distinguish between
constraints violations (on insert), invalid queries, and
server errors, and return noop, invalid, and error respectively.
Call SHOW WARNINGS in the MySQL driver and write them to
the request log, if libmysqlclient indicates warnings are
available on the server.
Forbid the creation of Vendor-Specific for non-standard
VSAs. Use Attr-26 = 0x... instead.
Make dhcpclient work with raw sockets and various other
improvements - Contributed by nchaigne
Add support for SSHA2 - Contributed by PDD.
Add perle dictionary - Contributed by Hachmer
Modernise init scripts for RHEL, SUSE and Debian.
radmin now tracks the return code of commands, and exits
with status "1" if any command failed to execute.
radmin now sends error messages from the server to
stderr, instead of to stdout.
radmin now looks for sockets matching it's UID and GID,
rather than just always using the first one it finds.
radmin can how delete clients which are tied to a listener.
Moved RADIUS attribute definitions to src/include/rfc*.h
Move to talloc pools for requests. For in-memory tests
(default config, 'users' file), performance increases by 30%.
In rlm_ldap allow sasl_mech to be specified for admin and
user binds. Only non-interactive mechs (like EXTERNAL)
are currently supported.
Remove support for ephemeral RSA keys. They were "export only",
and should not be used by anyone.
Syntax errors in the "users" file now produce better
error messages.

Bug fixes

Fix issues parsing LDAP hostnames with non-standard ports.
Fix issues with realms containing regular expressions.
Allow unary negation before parantheses in rlm_expr.
Fix infinite loop in kevent event loop code. Issue only
presented on FreeBSD.
Be more careful to define Auth-Types before loading modules.
Link libfreeradius-radius against OpenSSL too, to avoid
multi-version symbols in SSL libraries.
When rlm_ldap rebinds a connection, it should use bind
credentials from the module that created the connection
pool, not credentials from the module referencing it.
Empty server config pairs should be allowed in rlm_ldap
instances that reference another module's connection pool.
Mark rlm_always as huppable, so its rcode can be changed
via radmin (allows policy toggles).
Emit warnings when ignoring user configured pool values.
Fix issue that would cause radclient to complain
intermittently about differing numbers of filters and
requests.
Fix cosmetic issues in connection pool logging, that made
it appear as if the same connection was being opened
multiple times.
Fix threadsafety issues in SQL drivers, where a static
buffer was used to store error messages.
Log RERROR, RWARN, RINFO to the global log if request
logging is not enabled.
Link to libldap instead of libldap_r. libldap_r
is not supported for use by projects outside of OpenLDAP.
Set connection timeout correctly in rlm_sql_mysql.
Build with older versions of libcurl, and use CFLAGS from
curl-config.
Honour Packet-Src-Port and Packet-Src-IP-address in radclient.
Initialise ldapai_info_version field, so libldap will report
its vendor and version.
Fix log rotation scripts by using the copyrotate option.
Fix issue that caused opening control sockets to always
fail on non-Linux systems, if a user or group was set.
Save Session-State after proxying.
Additional fixes for reading CoA/DM requests from detail
files.
Create dynamic clients if the dynamic clients virtual server
returns ok or updated. Emit useful messages for other codes.
Compile bare "authorize" statements, and issue errors saying
using them isn't a good idea.

freeradius-server -

Published by arr2036 almost 10 years ago

Feature improvements

radmin / raddebug conditional errors are printed
to the output, instead of being discarded.
raddebug will exit if condition set with -c was invalid.
radmin auto-reconnects if the connection to the server
has gone away.
rlm_cache now has submodule support. See
raddb/mods-available/cache
New memcached driver for rlm_cache. See
raddb/mods-available/cache
Add support for &Attribute-Name[*] in conditions.
See "man unlang" for details.
Add &Attribute-Name[n] which gets the last instance
of an attribute e.g. Module-Failure-Message[n].
Allow for redundant string expansions. See the
"instantiate" section of radiusd.conf.
When checking IP addresses in conditions, make the
right side be parsed as an IP prefix.
Support JIT compilation of compiled regular expressions
when built with libpcre.
Support named capture groups with "%{regex:}"
when built with libpcre.
Increase regular expression capture groups from 8 to 32.
Emit error markers for badly formed regular expressions.
Allow 'm' flag to enable multiline mode in regular
expressions.
Support limited implicit attribute conversion in update
sections.
Support casting between IPv6 and IPv4 where the IPv6
address has the v4/v6 mapping prefix (::ffff:).

Bug fixes

PEAP works again. As does proxying EAP-MSCHAPv2
from inside of a PEAP tunnel.
"group" is allowed inside of "instantiate" sections.
update disconnect {} with
disconnect:Packet-Dst-IP-Address now works correctly.
Regular expression comparisons of non string attributes
are now disallowed in the files module. Previously
they would silently fail or produce undefined behaviour.
Fix parsing of old regular expressions. Closes #842
Fix off by one error in ascend filters. Closes #843.
Handle NT-Hash in rlm_pap. This allows passwords to
have backslashes in them.
Fix infinite loop on "Fall-Through = yes" when
processing SQL groups.
Correct the check of SQL query return code.
Run "Post-Auth-Type Reject" if the request was rejected
in post-auth
Write "Login OK" only if the post-auth section passed.
Create TLS-Cert-* certificates, even when EAP session
caching is disabled.
Finalize the "correct_escapes" with many more tests.
Move to the new OpenLDAP libldap API, fixes more issues
with binary values.
Fix potential memory corruption in rlm_ldap if start
connections were set to 0, and the server was running
in threaded mode. The fix is a workaround for an issue
in libldap and was suggested by Howard Chu.
Give parse errors on "%{...", without the closing brace.
Allow spaces in certificate passwords for build rules
in raddb/certs//
Make all regular expression evaluation binary safe.
Where that's not possible, emit an error if the pattern
or subject contains an embedded null byte.
Fix various issues around masking IPv6 addresses.

freeradius-server -

Published by arr2036 almost 10 years ago

Feature improvements

Large update to Huawei dictionary.
Added dictionary.rfc7155
Regular expressions like /%{User-Name}/ are now parsed
and validated when the server starts.
All configuration items which are dynamically expanded
are now parsed and validated when the server starts.
%{expr:...} expressions can now do bit shifting and more.
See raddb/mods-available/expr.
The detail file reader can now track packets which have
had replies, so they are never re-transmitted. See
raddb/sites-available/buffered-sql, the "track" config item.
CoA and Disconnect packets can now be sent to a specific
home server by setting control:Packet-Dst-IP-Address and
(optionally) control:Packet-Dst-Port.
Allow CoA and Disconnect packets to be read from the
detail file.
Allow LDAP to specify arbitrary attributes for dynamic
clients.
Convert all unused attributes in the control: list to config
pairs in dynamic clients. This allows arbitrary client
attributes to be set for dynamic clients too.
rlm_couchbase now supports bulk loading of clients on startup
in a similar way to rlm_ldap. Contributed by Aaron Hurt.
Allow one level of backslashes (finally). See radiusd.conf,
"correct_escapes" setting.
Rename dictionary.redback to dictionary.ericsson.ab
Add --disable-openssl-version-check option to configure.
So vendors can disable the check. Patch from
Nikolai Kondrashov.
Do context-specific indenting in debug messages. This makes
the debug output easier to read.
Make configuration a separate RPM, just like for Debian.
better decoding of unknown VSAs
When supported by OpenSSL, allow TLS 1.1 and TLS 1.2
in EAP methods.
Allow multiple new connections to be spawned simultaneously
in the connection pool, to cope with spikes in traffic.
Document retry_delay in connection pools.
Allow checksimul in rlm_couchbase.
Use kqueue on systems which support it. This allows for
better scaling when using many sockets.

Bug Fixes

Parse list qualifiers in generic LDAP 'valuepair_attribute'
attributes correctly.
Fix issue where prefix length would be ignored for dynamic
or static clients if the address matched INADDR_ANY
(0.0.0.0).
Allow null user object filter in rlm_ldap, it's valid to
specify a complete object DN and use the base scope.
Don't SEGV if a received attribute value in a JSON structure
is null, or a value can't be stringified.
Don't assert if the server returns a JSON content-type and
the server hasn't been built with support for JSON.
Closes #808.
Set CURLOPT_NOSIGNAL to prevent curl from handling signals
and causing a longjmp error when the server was running with
threads.
Allow tabs after attribute names in the "users" file.
Closes #796.
Free unknown DICT_ATTRs. Closes #795
Handle unknown attributes in the conditions and "update"
sections. e.g. Attr-1.2.3.4 = foo.
Use correct array size for MS-CHAP new password.
In rlm_rest, check for older versions of libraries at start
time, rather than when a packet comes in.
Don't call detach on parse error in rlm_perl. Closes #802.
Integer fixes for big-endian systems. Closes #803.
Don't optimize %{Packet-Src-IP-Address}. Closes #804.
dhcpclient loads dictionaries correclty. Closes #805.
double quotes are no longer escaped in single-quoted
strings. e.g. 'foo "hello" bar'.
Fixes for proxying to virtual servers broke the detail file
reader. Now they both work.
Typos and fixes from Nikolai Kondrashov.
Fixes to OpenSSL version checks, for cross-platform issues.
cppcheck fixes from Herwin Weststrate.
Fix build for OSX Yosemite
Merge DHCP sub-options. Closes #812.
Fix decoding of Starent attributes.
When a module asks for a connection, don't return idle
connections.
LDAP connection timeouts will now retry, instead of failing.
Prevent race conditions between fork and wait for child.
Patch from James Rouzier.
Fix triggers for connection pools. Patches from
Nikolai Kondrashov.
Fix SEGV when comparing non string type check items.
Build with newer versions of libmysqlclient.
make the %{escape:} and %{unescape:} xlat functions UTF8
safe.
Don't escape UTF8 chars in SQL query strings.
Fix issue in cached LDAP group comparisons, which caused
checks to sometimes fail.
Fix use after free issue in unlang switch evaluation.
Respect operators in rlm_cache when merging into the current
request.
Update Cache-Entry-Hits each time rlm_cache is called.
Produce WARN messages if SQL queries are empty strings.
Fix invalid assertion when proxying CoA requests.
Allow empty strings in "case" statements. Closes #836.
Normalize escaping for string expansions. i.e. don't do
double escaping in rare situations.
Normalize LDAP escaping. LDAP servers have multiple ways
to escape things, so the data has to be normalized before
we can compare two LDAP DNs.
Don't go to high debug level if we're proxying inner EAP
as EAP. Closes #839.
Fix rlm_rest state handling. Closes #835.

freeradius-server -

Published by arr2036 about 10 years ago

freeradius-server -

Published by arr2036 about 10 years ago

freeradius-server -

Published by arr2036 about 10 years ago

Feature improvements

Home server "response_window" can now take fractions of a second. See proxy.conf.
radmin now supports "show module status", as the counterpart to "set module status"
Added dictionary ericsson.packet.ccore.networks, bluecoat, citrix, compatible, riverbed, ruckus, and RFC 7268.
Add %{tag:} expansion to get the tag value of an attribute.
Report 'application_name' in connections to PostgreSQL servers. FreeRADIUS connections will now appear as 'FreeRADIUS - ' in pg_stat_activity.
All config item fields are now type checked at compile time to prevent issues similar to #634 occuring again.
Modify pairparsevalue to deal with embedded NULLs better, and use the binary versions of attribute values in rlm_ldap.
"ipaddr" will now use v6 if no v4 address is present. You should use "ipv4addr" or "ipv6addr" to force v4/v6 addresses.
The above applies to "listen", "home_server", and "client" sections.
"client" sections will allow "ipaddr = 192.192.0/24". The old "netmask" is still accepted, but the new format is preferred.
Allow custom HTTP headers to be set for rlm_rest requests using control:REST-HTTP-Header (attributes consumed after use).
Extend format of %{rest:} expansion to allow HTTP method and POST data to be specified e.g. %{rest:POST http://example.org/api foo=bar&baz=boink}.
Add %{hmacsha1:&data &key} and %{hmacmd5:&data &key} expansions for signing data in requests.
rlm_cache now consumes its control attributes to make runtime configuration easier.
Add control:Cache-Read-Only which when set to 'yes' will make the cache module merge existing cache data, but not create new entries.
Add %{unescape:} and %{urlunquote:} expansions to reverse escaping and urlquoting.
Add support for aliases in rlm_ldap.
Add support for connection pool sharing to all modules that use the connection pool (pool = ).
"tls" sections now have a "psk_query" configuration item, for dynamic queries to discover a key from a PSK identity.
Preliminary support for EAP channel bindings.
Foundational work for dynamic home servers. They do not yet work, but this is now only a matter of updating the "realm" module in a future release.
Support &attr[*] syntax to copy all instances of an attribute when used with the += operator in an update section. May be qualified with a tag.
The logintime and expiration modules can now be listed in the post-auth section. This makes some configurations simpler.
Allow comparison of integer attributes of different sizes, without requiring a cast.
rlm_sqlippool is now IPV6 capable. Set "ipv6 = yes" to get Framed-IPv6-Prefix returned. The SQL queries have NOT been updated. Please submit patches.
The debian build now checks for the OpenSSL package with the heartbleed fix, and if found, sets: allow_vulnerable_openssl = 'CVE-2014-0160'
allow bootstrap from multiple files in sqlite driver.

Bug Fixes

make case-insensitive regular expressions work again, and add tests for them.
A few more talloc parenting issues
Fix delayed proxy reply handling. Closes #637
Fix OpenSSL initialization order when using RADIUS/TLS. Fixes #646
Don't double-quote strings in debugging messages
Fix foreach / break. Fixes #639
Chargeable-User-Identifier, ADSL-Agent-Circuit-Id and ADSL-Agent-Remote-Id should be "octets" types in the default dictionary.
Fix typo in mainconfig. Fixes #634
More rlm_perl fixes. Fixes #635
Free OpenSSL memory on clean exit.
Fix [0] !* ANY - Was removing all instances of
Fix case where multiple attributes were returned from RHS of mapping, as with rlm_ldap. Fixes #652
Fix corner case in cursor where using fr_cursor_next_by_da after calling fr_cursor_remove may of resulted in a read of uninitialised memory.
Don't SEGV if all connections to a database server go away. Fixes #651.
Fix issue where -= was not removing tagged instances of equal to (only untagged).
Fix issue where tag values were not being set on attributes created with unlang/ldap update blocks.
Create rlm_sqlcounter attributes as integer64 types instead of integer types, so large counter values can be specified.
Fix issue where specifying a dynamic client IP addresss using FreeRADIUS-Client-IPv6-Prefix or FreeRADIUS-Client-IP-Prefix may have caused a validation error.
Don't print two "&" for messages about attribute or list references in debug output.
Fix urlquote and escape to encode Unicode characters correctly.
Fix redundant-load-balance blocks to try other modules in the group if one fails.
Fix issue with rlm_pap password normalisation where 'known good' password strings stored in octets type attributes, would be sometimes misnormalised as base64.
Don't stop processing DHCP options if we find a 0x00 padding option.
Fix issue where modifying the value of an attribute created from a template with a literal value, may have resulted in the template literal being freed.
Fix parenting issues in tls code which may have resulted in memory corruption and crashes.
Fix issue in radsniff where writing to PCAP files and using -R response filters, where the requests would still be written to the PCAP for non matching responses.
Define __APPLE_USE_RFC_2292 so that the server builds with IPv6 support on OSX.
Fix LDAP group lookups for named rlm_ldap instances. Note that attribute references should be used when checking LDAP-Group attributes. e.g. if (&LDAP-Group == 'foo').
Delayed attribute references can now be used in unlang existence checks. i.e. if (&Attribute-Name) { ... }
Fix issues in EAP-PWD. CVE-2014-4731, CVE-2014-4732, and CVE-2014-4733. There is no external authentication bypass.
Fix a number of uses of the talloc parent/child reference.
Release connection used for reading bulk clients in rlm_ldap.
rlm_rest is now fail-safe if it's used without any configuration
Pull in build fixes for FreeBSD from ports.
Fix error in sqlite postauth query
Evaluate argument to "switch" statements once, instead of for each "case" statement.
Define sig_t on systems without it. Closes #765.
Fix boundary issue with rlm_rest. Closes #768
Optimize "%{Attribute-Name}" in comparisons only if the dictionary types match.
Don't do chmod() in rad_mkdir() if the directory already exists. We might not have permission to change it.
Use getpwnam_r() and getgrnam_r() on systems which support it. Closes #775.
Clients loaded from SQL are now tied to the "listen" section of a virtual server, instead of being global.
Check for -lpcre. The system might have pcre.h without -lpcre.
When proxying to a virtual server, use the proxy_reply instead of ignoring it.
Fixed typos in DHCP SQL IPPool.
Fix crash when passing multiple arguments to Perl xlat.