What's new in FreeRADIUS 3.2.3
May 26, 2023
- The focus of this release is stability.
New in FreeRADIUS 3.2.2 (Feb 16, 2023)
- The focus of this release is stability.
New in FreeRADIUS 3.2.1 (Oct 3, 2022)
- The focus of this release is stability.
New in FreeRADIUS 3.2.0 (Sep 5, 2022)
- Feature Improvements:
- All features from 3.0.x are included in the 3.2.x releases. In addition:.
- Add 'reset_day' and '%%r' parameter for rlm_sqlcounter to specify which day of the month the counter should be reset.
- Partial backport of rlm_json from v4, providing the json_encode xlat See mods-available/json for documentation.
- Support for haproxy "PROXY" protocol See sites-available/tls, "proxy_protocol" and doc/antora/modules/howto/pages/protocols/proxy/.
- Support for sending CoA-Request and Disconnect-Request packets in "reverse" down RadSec tunnels. Experimental for now, and undocumented.
- It is now possible to run a virtual server when saving / loading TLS cache attributes. See sites-available/tls-cache for more information.
- Removed the "cram" module. It was undocumented, and used old and insecure authentication methods.
- Remove the "otp" module. The "otpd" program it needs is no longer available, and the module has not been usable since at least 2015.
- All features from 3.0.x are included in the 3.2.x releases.
- 3.2.0 requires OpenSSL 1.0.2 or greater.
- Bug Fixes:
- All bug fixes from 3.0.x are included in the 3.2.x releases.
New in FreeRADIUS 3.0.25 (Oct 7, 2021)
- Feature Improvements:
- Better debug output when proxying is disabled.
- Updates to support PostgreSQL 14 (#4251).
- Bug Fixes:
- Add `correct_escapes` back into default configuration.
- Fix undeclared variable with some compile options (#4246).
- Quiet erroneous debug output.
- Fix segfault when proxying to zombie home server.
- Fix resolving values to enum strings in rlm_rest (#4167).
- Fix printing raw values rather than enum strings in rlm_couchbase (#4167).
New in FreeRADIUS 3.0.23 (Jun 11, 2021)
- The focus of this release is stability.
New in FreeRADIUS 3.0.19 (Apr 10, 2019)
- Feature Improvements:
- Update dictionary.cisco.
- Update sqlippool to allow for stored procedures with PostgreSQL. This increases performance substantially Patch from Nathan Ward. Fixes #2540.
- Re-added "show client config" command to radmin.
- Cleaned up mods-available/sql example so that it is easier to understand.
- Added pfSense dictionary. Closes #2581.
- Update dictionary.h3c Closes #2592.
- Update elasticsearch/logstash config for v6.7.0.
- EAP-PWD security fixes from Mathy Vanhoef. See http://freeradius.org/security/.
- Bug Fixes:
- Update dynamic_client module and server core so that the functionality works. This has been broken since at least v2.
- Fix crash in sqlippool due to escaping changes Patch from Nathan Ward. Fixes #2532, #2533.
- Fix systemd notify, watchdog and unit files Fixes #2541, #2499.
- Fix erroneous length check in EAP-FAST.
- Update documentation to remove old "ignore_null" configuration. Fixes #2578.
- Fix default POD port. Should be 3799. Fixes #2591.
- Correctly encode vendor-specific "encrypted" attributes Fixes #2600.
New in FreeRADIUS 3.0.18 (Feb 26, 2019)
- The focus of this release is stability.
New in FreeRADIUS 4.0.x Development (Apr 18, 2018)
- FEATURE IMPROVEMENTS:
- For upgrade instructions, see raddb/README.rst.
- "authorize", "authenticate", "preacct", etc are deprecated. We now use "recv Access-Request" See raddb/README.rst.
- Dropped support for -i and -p flags in radiusd.
- New "map" function in unlang. See "man unlang".
- The "load-balance" and "redundant-load-balance" sections accept a key. See "man unlang".
- The EAP module tracks certificates in a different attribute list. See the upgrade instructions.
- The EAP module produces much better messages when using TLS.
- The MySQL and Postgresql modules now call the database string escape functions, instead of using "safe_characters".
- radmin / raddebug can now stream debug output directly to radmin, instead of using an intermediary file.
- radsniff stats (-W) now operates on PCAP files too.
- radsniff stats can be printed in CSV format.
- radsniff processes .1Q tagged packets by default.
- Improved internal state API, to simplify multiround authentication.
- ipaddr = * 'just works' for most DHCP configurations.
- Redis cluster support for all Redis modules.
- TLV Attributes can now be nested to nearly any depth.
- radsnmp client which can listen on Net-SNMP "pass persist" and translate that into queries to the server.
- rlm_perl: radiusd::xlat to evaluate xlat string within perl script.
- rlm_ldap supports maps, which can map the contents of multiple LDAP objects to RADIUS attributes.
- Both the rlm_ldap map and xlat functions support server side sort control specifiers in their URLs.
- rlm_eap supports RSA/ECC key agility.
- BUG FIXES:
- Attribute names in unlang MUST be prefixed with & This fixes a host of ambiguities when parsing.
- Added unit tests for dictionary parsing and restrictions on which attributes can appear where.
New in FreeRADIUS 3.0.17 (Apr 18, 2018)
- FEATURE IMPROVEMENTS:
- Add CURLOPT_CAINFO. Patch from Nicolas C #2167.
- "stats home server" now supports "src IPADDR", to specify home server also by source IP. Fixes #2169.
- Add Dockerfiles for a selection of common systems.
- Increase number of permitted file descriptors, for systems with many home servers.
- Add TLS-Client-Cert-X509v3-Extended-Key-Usage-OIDs Patch from Isaac Boukris. Fixes #2205.
- Update main READMEs. Patches from Matthew Newton.
- Added dictionary.mimosa.
- BUG FIXES:
- Don't call post-proxy twice when proxying to a virtual server. Matthew Newton, #2161.
- Use "raw" string value for shared secrets and dynamic clients It now parses strings with backslashes and "special characters" correctly. Fixes #2168.
- Fix RuntimeDirectory for RedHat, from Alan Buxey.
- Relax checks in 'if' parser from Isaac Bourkis.
- Minor cleanups for %{debug_attr:&request} from Isaac Boukris.
- Be more aggressive about cleaning up cached certificate attributes, due to deficiencies in OpenSSL. Reported by Nicolas Reich.
- Be more accepting when parsing IPv6 addresses. Bug noted by Klara Mall.
- Fix double free in rlm_sql. Fixes #2180.
- rlm_detail now writes empty Access-Accept packets.
- rlm_python can now create tagged attributes.
- Don't crash on duplicate realm + authhost / accthost Bug found by Richard Palmer.
- Allow partial certificate chain to trusted CA. Fixes #2162.
- Treat SSL_read() returning zero as error. Fixes #2164.
- detail writer now checks if the file was renamed or deleted.
- Add User-Name to Access-Accept if EAP-Message exists, not Stripped-User-Name.
- RedHat Systemd updates. Fixes #2184.
- Use correct API for State variable in rlm_securid.
- Remove broken radclient option "-i".
- Fix "users" file (and hints, etc). So that it does not get confused about entry ordering with multiple $INCLUDEs.
- Fix rlm_sql to expand the un-escaped string, not the raw string.
- Link default and inner-tunnel only if they exist. Fixes #2206.
- Don't use both IP_PKTINFO and IP_SENDSRCADDR.
- Always install signal handler for SIGINT (needed by Docker).
- Fix intermediate CA flow for OCSP. Fixes #2160 Intermediate certs which are not self-signed will now be checked.
- sqlippool now returns "fail" if it fails IP allocation.
- Fix rlm_yubikey to look for correct attribute in replay attack check.
New in FreeRADIUS 3.0.16 (Jan 12, 2018)
- The focus of this release is stability.
New in FreeRADIUS 3.0.15 (Oct 24, 2017)
- FEATURE IMPROVEMENTS:
- Provide HOSTNAME in default systemd files.
- Incorporate RedHat specific files.
- Update dictionary.starent, dictionary.ruckus.
- Allow builds without TCP or DHCP.
- BUG FIXES:
- Fix multiple issues. See this web page for details: http://freeradius.org/security/fuzzer-2017.html.
- Pass correct statement length into sqlite3_prepare[_v2].
- Bind the lifetime of program name and python path to the module.
- Check input / output length in make_secret() FR-GV-201.
- Fix read overflow when decoding DHCP option 63 FR-GV-206.
- Fix write overflow in data2vp_wimax() FR-GV-301.
- Fix infinite loop and memory exhaustion with 'concat' attributes FR-GV-302.
- Fix infinite read in dhcp_attr2vp() FR-GV-303.
- Fix buffer over-read in fr_dhcp_decode_suboptions() FR-GV-304.
- Decode 'signed' attributes correctly FR-GV-305.
- use strncmp() instead of memcmp() for bounded data FR-AD-001.
- Bind the lifetime of program name and python path to the module FR-AD-002.
- Pass correct statement length into sqlite3_prepare[_v2] FR-AD-003.
- print messages when we see deprecated configuration items.
- show reasons why we couldn't parse a certificate expiry time.
- be more accepting about truncated ASN1 times.
- Fix OpenSSL API issue which could leak small amounts of memory. Issue reported by Guido Vranken.
- For Access-Reject, call rad_authlog() after running the post-auth section, just like for Access-Accept.
- don't crash when reading corrupted data from session resumption cache. Fixes #1999.
- Parse port in dhcpclient. Fixes #2000.
- Don't leak memory for OpenSSL Patch from Guido Vranken.
- Portability fixes taken from OpenBSD port collection.
- run rad_authlog after post-auth for Access-Reject.
- Don't process VMPS packets twice.
- Fix attribute truncation in rlm_perl.
- Fix bug when processing huntgroups.
New in FreeRADIUS 3.0.7 Feature Release (Mar 7, 2015)
- Feature improvements:
- Allow coa home_servers to be derived from client sections if a coa_server section is provided.
- Automatically determine the correct port if no port is provided for a home server.
- Allow foreach to operate over lists.
- Add compile time features to ${feature.*} and versions of core libraries to ${version.*}. Feature and version names match output of radiud -xv. %v is now deprecated.
- Add support for PATCH method in rlm_rest.
- Validate more module xlats on startup, and warn if an xlat expansion is found in a double quoted config item which will not be expanded.
- Add support for sub-second timeouts in rlm_rest.
- Add support for connection timeouts in rlm_rest.
- Add %{jsonquote:} xlat to escape strings for insertion into json documents.
- Add %{ldapquote:} xlat to escape strings for insertion into ldap DNs.
- Add %{explode:&ref }, splits value of &ref on and creates new &ref type attributes with the fragments.
- Allow rlm_ldap to use attribute references for base_dn and filter config items. The attribute references are not escaped, allowing DNs and filters to be created dynamically.
- Add %{nexttime:[]h|d|w|y} to calculate the number of seconds before the next hour(s), day(s), week(s), or year(s).
- Allow the left side of update sections to be xlat expansions. The result of the expansion is then used to reference the attribute to be modified.
- Added %{lpad:&Attribute-Name 7 x} and rpad. These produce fixed-width output strings, with padding to the left (lpad) or the right (rpad).
- For some SQL drivers (MySQL, sqlite) distinguish between constraints violations (on insert), invalid queries, and server errors, and return noop, invalid, and error respectively.
- Call SHOW WARNINGS in the MySQL driver and write them to the request log, if libmysqlclient indicates warnings are available on the server.
- Forbid the creation of Vendor-Specific for non-standard VSAs. Use Attr-26 = 0x... instead.
- Make dhcpclient work with raw sockets and various other improvements - Contributed by nchaigne
- Add support for SSHA2 - Contributed by PDD.
- Add perle dictionary - Contributed by Hachmer
- Modernise init scripts for RHEL, SUSE and Debian.
- radmin now tracks the return code of commands, and exits with status "1" if any command failed to execute.
- radmin now sends error messages from the server to stderr, instead of to stdout.
- radmin now looks for sockets matching it's UID and GID, rather than just always using the first one it finds.
- radmin can how delete clients which are tied to a listener.
- Moved RADIUS attribute definitions to src/include/rfc*.h
- Move to talloc pools for requests. For in-memory tests (default config, 'users' file), performance increases by 30%.
- In rlm_ldap allow sasl_mech to be specified for admin and user binds. Only non-interactive mechs (like EXTERNAL) are currently supported.
- Remove support for ephemeral RSA keys. They were "export only", and should not be used by anyone.
- Syntax errors in the "users" file now produce better error messages.
- Bug Fixes:
- Fix issues parsing LDAP hostnames with non-standard ports.
- Fix issues with realms containing regular expressions.
- Allow unary negation before parantheses in rlm_expr.
- Fix infinite loop in kevent event loop code. Issue only presented on FreeBSD.
- Be more careful to define Auth-Types before loading modules.
- Link libfreeradius-radius against OpenSSL too, to avoid multi-version symbols in SSL libraries.
- When rlm_ldap rebinds a connection, it should use bind credentials from the module that created the connection pool, not credentials from the module referencing it.
- Empty server config pairs should be allowed in rlm_ldap instances that reference another module's connection pool.
- Mark rlm_always as huppable, so its rcode can be changed via radmin (allows policy toggles).
- Emit warnings when ignoring user configured pool values.
- Fix issue that would cause radclient to complain intermittently about differing numbers of filters and requests.
- Fix cosmetic issues in connection pool logging, that made it appear as if the same connection was being opened multiple times.
- Fix threadsafety issues in SQL drivers, where a static buffer was used to store error messages.
- Log RERROR, RWARN, RINFO to the global log if request logging is not enabled.
- Link to libldap instead of libldap_r. libldap_r is not supported for use by projects outside of OpenLDAP.
- Set connection timeout correctly in rlm_sql_mysql.
- Build with older versions of libcurl, and use CFLAGS from curl-config.
- Honour Packet-Src-Port and Packet-Src-IP-address in radclient.
- Initialise ldapai_info_version field, so libldap will report its vendor and version.
- Fix log rotation scripts by using the copyrotate option.
- Fix issue that caused opening control sockets to always fail on non-Linux systems, if a user or group was set.
- Save Session-State after proxying.
- Additional fixes for reading CoA/DM requests from detail files.
- Create dynamic clients if the dynamic clients virtual server returns ok *or* updated. Emit useful messages for other codes.
- Compile bare "authorize" statements, and issue errors saying using them isn't a good idea.
New in FreeRADIUS 3.0.6 Feature Release (Mar 7, 2015)
- Feature improvements:
- radmin / raddebug conditional errors are printed to the output, instead of being discarded.
- raddebug will exit if condition set with -c was invalid.
- radmin auto-reconnects if the connection to the server has gone away.
- rlm_cache now has submodule support. See raddb/mods-available/cache
- New memcached driver for rlm_cache. See raddb/mods-available/cache
- Add support for &Attribute-Name[*] in conditions. See "man unlang" for details.
- Add &Attribute-Name[n] which gets the last instance of an attribute e.g. Module-Failure-Message[n].
- Allow for redundant string expansions. See the "instantiate" section of radiusd.conf.
- When checking IP addresses in conditions, make the right side be parsed as an IP prefix.
- Support JIT compilation of compiled regular expressions when built with libpcre.
- Support named capture groups with "%{regex:}" when built with libpcre.
- Increase regular expression capture groups from 8 to 32.
- Emit error markers for badly formed regular expressions.
- Allow 'm' flag to enable multiline mode in regular expressions.
- Support limited implicit attribute conversion in update sections.
- Support casting between IPv6 and IPv4 where the IPv6 address has the v4/v6 mapping prefix (::ffff:).
- Bug Fixes:
- PEAP works again. As does proxying EAP-MSCHAPv2 from inside of a PEAP tunnel.
- "group" is allowed inside of "instantiate" sections.
- update disconnect {} with disconnect:Packet-Dst-IP-Address now works correctly.
- Regular expression comparisons of non string attributes are now disallowed in the files module. Previously they would silently fail or produce undefined behaviour.
- Fix parsing of old regular expressions. Closes #842
- Fix off by one error in ascend filters. Closes #843.
- Handle NT-Hash in rlm_pap. This allows passwords to have backslashes in them.
- Fix infinite loop on "Fall-Through = yes" when processing SQL groups.
- Correct the check of SQL query return code.
- Run "Post-Auth-Type Reject" if the request was rejected in post-auth
- Write "Login OK" only if the post-auth section passed.
- Create TLS-Cert-* certificates, even when EAP session caching is disabled.
- Finalize the "correct_escapes" with many more tests.
- Move to the new OpenLDAP libldap API, fixes more issues with binary values.
- Fix potential memory corruption in rlm_ldap if start connections were set to 0, and the server was running in threaded mode. The fix is a workaround for an issue in libldap and was suggested by Howard Chu.
- Give parse errors on "%{...", without the closing brace.
- Allow spaces in certificate passwords for build rules in raddb/certs//
- Make all regular expression evaluation binary safe. Where that's not possible, emit an error if the pattern or subject contains an embedded null byte.
- Fix various issues around masking IPv6 addresses.
- Give descriptive error if unknown attributes are used in "update" sections.
- Deal with cases where ldap_initialize isn't available gracefully, and use it exclusively when it's available.
New in FreeRADIUS 3.0.5 Feature Release (Mar 7, 2015)
- Feature improvements:
- Large update to Huawei dictionary.
- Added dictionary.rfc7155
- Regular expressions like /%{User-Name}/ are now parsed and validated when the server starts.
- All configuration items which are dynamically expanded are now parsed and validated when the server starts.
- %{expr:...} expressions can now do bit shifting and more. See raddb/mods-available/expr.
- The detail file reader can now track packets which have had replies, so they are never re-transmitted. See raddb/sites-available/buffered-sql, the "track" config item.
- CoA and Disconnect packets can now be sent to a specific home server by setting control:Packet-Dst-IP-Address and (optionally) control:Packet-Dst-Port.
- Allow CoA and Disconnect packets to be read from the detail file.
- Allow LDAP to specify arbitrary attributes for dynamic clients.
- Convert all unused attributes in the control: list to config pairs in dynamic clients. This allows arbitrary client attributes to be set for dynamic clients too.
- rlm_couchbase now supports bulk loading of clients on startup in a similar way to rlm_ldap. Contributed by Aaron Hurt.
- Allow one level of backslashes (finally). See radiusd.conf, "correct_escapes" setting.
- Rename dictionary.redback to dictionary.ericsson.ab
- Add --disable-openssl-version-check option to configure. So vendors can disable the check. Patch from Nikolai Kondrashov.
- Do context-specific indenting in debug messages. This makes the debug output easier to read.
- Make configuration a separate RPM, just like for Debian.
- better decoding of unknown VSAs
- When supported by OpenSSL, allow TLS 1.1 and TLS 1.2 in EAP methods.
- Allow multiple new connections to be spawned simultaneously in the connection pool, to cope with spikes in traffic.
- Document retry_delay in connection pools.
- Allow checksimul in rlm_couchbase.
- Use kqueue on systems which support it. This allows for better scaling when using many sockets.
- Bug Fixes:
- Parse list qualifiers in generic LDAP 'valuepair_attribute' attributes correctly.
- Fix issue where prefix length would be ignored for dynamic or static clients if the address matched INADDR_ANY (0.0.0.0).
- Allow null user object filter in rlm_ldap, it's valid to specify a complete object DN and use the base scope.
- Don't SEGV if a received attribute value in a JSON structure is null, or a value can't be stringified.
- Don't assert if the server returns a JSON content-type and the server hasn't been built with support for JSON. Closes #808.
- Set CURLOPT_NOSIGNAL to prevent curl from handling signals and causing a longjmp error when the server was running with threads.
- Allow tabs after attribute names in the "users" file. Closes #796.
- Free unknown DICT_ATTRs. Closes #795
- Handle unknown attributes in the conditions and "update" sections. e.g. Attr-1.2.3.4 = foo.
- Use correct array size for MS-CHAP new password.
- In rlm_rest, check for older versions of libraries at start time, rather than when a packet comes in.
- Don't call detach on parse error in rlm_perl. Closes #802.
- Integer fixes for big-endian systems. Closes #803.
- Don't optimize %{Packet-Src-IP-Address}. Closes #804.
- dhcpclient loads dictionaries correclty. Closes #805.
- double quotes are no longer escaped in single-quoted strings. e.g. 'foo "hello" bar'.
- Fixes for proxying to virtual servers broke the detail file reader. Now they both work.
- Typos and fixes from Nikolai Kondrashov.
- Fixes to OpenSSL version checks, for cross-platform issues.
- cppcheck fixes from Herwin Weststrate.
- Fix build for OSX Yosemite
- Merge DHCP sub-options. Closes #812.
- Fix decoding of Starent attributes.
- When a module asks for a connection, don't return idle connections.
- LDAP connection timeouts will now retry, instead of failing.
- Prevent race conditions between fork and wait for child. Patch from James Rouzier.
- Fix triggers for connection pools. Patches from Nikolai Kondrashov.
- Fix SEGV when comparing non string type check items.
- Build with newer versions of libmysqlclient.
- make the %{escape:} and %{unescape:} xlat functions UTF8 safe.
- Don't escape UTF8 chars in SQL query strings.
- Fix issue in cached LDAP group comparisons, which caused checks to sometimes fail.
- Fix use after free issue in unlang switch evaluation.
- Respect operators in rlm_cache when merging into the current request.
- Update Cache-Entry-Hits each time rlm_cache is called.
- Produce WARN messages if SQL queries are empty strings.
- Fix invalid assertion when proxying CoA requests.
- Allow empty strings in "case" statements. Closes #836.
- Normalize escaping for string expansions. i.e. don't do double escaping in rare situations.
- Normalize LDAP escaping. LDAP servers have multiple ways to escape things, so the data has to be normalized before we can compare two LDAP DNs.
- Don't go to high debug level if we're proxying inner EAP as EAP. Closes #839.
- Fix rlm_rest state handling. Closes #835.
New in FreeRADIUS 2.2.6 (Mar 7, 2015)
- Feature improvements:
- When supported by OpenSSL, allow TLS 1.1 and TLS 1.2 in EAP methods.
- Bug Fixes:
- Fix redundant-load-balance blocks to try other modules in the group if one fails.
- Fix potential read into uninitialised memory in rlm_pap when normalising octet type attributes containing password hashes. This is very unlikely to happen in the wild.
- Don't stop decoding DHCP options if we find a padding option.
- Define sig_t on systems which don't have it. Closes #765
- When clients are loaded from SQL, allow them to be tied to a virtual server.
- Prevent race conditions between fork and wait for child. Patch from James Rouzier.
- Allow UTF-8 characters in SQL.
- Back-port udpfromto fixes from v3
New in FreeRADIUS 3.0.4 Feature Release (Mar 7, 2015)
- Feature improvements:
- Home server "response_window" can now take fractions of a second. See proxy.conf.
- radmin now supports "show module status", as the counterpart to "set module status"
- Added dictionary ericsson.packet.ccore.networks, bluecoat, citrix, compatible, riverbed, ruckus, and RFC 7268.
- Add %{tag:} expansion to get the tag value of an attribute.
- Report 'application_name' in connections to PostgreSQL servers. FreeRADIUS connections will now appear as 'FreeRADIUS - ' in pg_stat_activity.
- All config item fields are now type checked at compile time to prevent issues similar to #634 occuring again.
- Modify pairparsevalue to deal with embedded NULLs better, and use the binary versions of attribute values in rlm_ldap.
- "ipaddr" will now use v6 if no v4 address is present. You should use "ipv4addr" or "ipv6addr" to force v4/v6 addresses.
- The above applies to "listen", "home_server", and "client" sections.
- "client" sections will allow "ipaddr = 192.192.0/24". The old "netmask" is still accepted, but the new format is preferred.
- Allow custom HTTP headers to be set for rlm_rest requests using control:REST-HTTP-Header (attributes consumed after use).
- Extend format of %{rest:} expansion to allow HTTP method and POST data to be specified e.g. %{rest:POST http://example.org/api foo=bar&baz=boink}.
- Add %{hmacsha1:&data &key} and %{hmacmd5:&data &key} expansions for signing data in requests.
- rlm_cache now consumes its control attributes to make runtime configuration easier.
- Add control:Cache-Read-Only which when set to 'yes' will make the cache module merge existing cache data, but not create new entries.
- Add %{unescape:} and %{urlunquote:} expansions to reverse escaping and urlquoting.
- Add support for aliases in rlm_ldap.
- Add support for connection pool sharing to all modules that use the connection pool (pool = ).
- "tls" sections now have a "psk_query" configuration item, for dynamic queries to discover a key from a PSK identity.
- Preliminary support for EAP channel bindings.
- Foundational work for dynamic home servers. They do not yet work, but this is now only a matter of updating the "realm" module in a future release.
- Support &attr[*] syntax to copy all instances of an attribute when used with the += operator in an update section. May be qualified with a tag.
- The logintime and expiration modules can now be listed in the post-auth section. This makes some configurations simpler.
- Allow comparison of integer attributes of different sizes, without requiring a cast.
- rlm_sqlippool is now IPV6 capable. Set "ipv6 = yes" to get Framed-IPv6-Prefix returned. The SQL queries have NOT been updated. Please submit patches.
- The debian build now checks for the OpenSSL package with the heartbleed fix, and if found, sets: allow_vulnerable_openssl = 'CVE-2014-0160'
- allow bootstrap from multiple files in sqlite driver.
- Bug Fixes:
- make case-insensitive regular expressions work again, and add tests for them.
- A few more talloc parenting issues
- Fix delayed proxy reply handling. Closes #637
- Fix OpenSSL initialization order when using RADIUS/TLS. Fixes #646
- Don't double-quote strings in debugging messages
- Fix foreach / break. Fixes #639
- Chargeable-User-Identifier, ADSL-Agent-Circuit-Id and ADSL-Agent-Remote-Id should be "octets" types in the default dictionary.
- Fix typo in mainconfig. Fixes #634
- More rlm_perl fixes. Fixes #635
- Free OpenSSL memory on clean exit.
- Fix [0] !* ANY - Was removing all instances of
- Fix case where multiple attributes were returned from RHS of mapping, as with rlm_ldap. Fixes #652
- Fix corner case in cursor where using fr_cursor_next_by_da after calling fr_cursor_remove may of resulted in a read of uninitialised memory.
- Don't SEGV if all connections to a database server go away. Fixes #651.
- Fix issue where -= was not removing tagged instances of equal to (only untagged).
- Fix issue where tag values were not being set on attributes created with unlang/ldap update blocks.
- Create rlm_sqlcounter attributes as integer64 types instead of integer types, so large counter values can be specified.
- Fix issue where specifying a dynamic client IP addresss using FreeRADIUS-Client-IPv6-Prefix or FreeRADIUS-Client-IP-Prefix may have caused a validation error.
- Don't print two "&" for messages about attribute or list references in debug output.
- Fix urlquote and escape to encode Unicode characters correctly.
- Fix redundant-load-balance blocks to try other modules in the group if one fails.
- Fix issue with rlm_pap password normalisation where 'known good' password strings stored in octets type attributes, would be sometimes misnormalised as base64.
- Don't stop processing DHCP options if we find a 0x00 padding option.
- Fix issue where modifying the value of an attribute created from a template with a literal value, may have resulted in the template literal being freed.
- Fix parenting issues in tls code which may have resulted in memory corruption and crashes.
- Fix issue in radsniff where writing to PCAP files and using -R response filters, where the requests would still be written to the PCAP for non matching responses.
- Define __APPLE_USE_RFC_2292 so that the server builds with IPv6 support on OSX.
- Fix LDAP group lookups for named rlm_ldap instances. Note that attribute references should be used when checking LDAP-Group attributes. e.g. if (&LDAP-Group == 'foo').
- Delayed attribute references can now be used in unlang existence checks. i.e. if (&Attribute-Name) { ... }
- Fix issues in EAP-PWD. CVE-2014-4731, CVE-2014-4732, and CVE-2014-4733. There is no external authentication bypass.
- Fix a number of uses of the talloc parent/child reference.
- Release connection used for reading bulk clients in rlm_ldap.
- rlm_rest is now fail-safe if it's used without any configuration
- Pull in build fixes for FreeBSD from ports.
- Fix error in sqlite postauth query
- Evaluate argument to "switch" statements once, instead of for each "case" statement.
- Define sig_t on systems without it. Closes #765.
- Fix boundary issue with rlm_rest. Closes #768
- Optimize "%{Attribute-Name}" in comparisons only if the dictionary types match.
- Don't do chmod() in rad_mkdir() if the directory already exists. We might not have permission to change it.
- Use getpwnam_r() and getgrnam_r() on systems which support it. Closes #775.
- Clients loaded from SQL are now tied to the "listen" section of a virtual server, instead of being global.
- Check for -lpcre. The system might have pcre.h without -lpcre.
- When proxying to a virtual server, use the proxy_reply instead of ignoring it.
- Fixed typos in DHCP SQL IPPool.
- Fix crash when passing multiple arguments to Perl xlat.
New in FreeRADIUS 3.0.3 Feature Release (Mar 7, 2015)
- Feature improvements:
- Everything now builds with no warnings from the C compiler, clang static analyzer, or cppcheck.
- rlm_ldap now supports defining the LDAP attribute name via backticked expansion (i.e. shell command) in RADIUS LDAP mappings.
- rlm_ldap now supports older style generic attributes.
- dynamic expansions (e.g. "%{expr:1 + 2}" are now parsed when the server starts. Syntax errors in the strings are caught, and a descriptive error is printed.
- Static regular expressions (e.g. /a*b/) are now parsed when the server starts. Syntax errors in the strings are caught, and a descriptive error is printed.
- dynamic expansions are cached after being parsed. They are no longer re-parsed at run-time for every request.
- regular expressions are now parsed and cached when the server starts.
- Added the %{rest:} expansion to rlm_rest, which will send a GET request to the URL passed as the format string. Any body text will be written to the expansion buffer.
- rlm_rest now available as a debian package.
- When an 'if' condition statically evaluates to true/false, unlang does more static optimization. For examples, see src/tests/keywords/if-skip
- All modules are marked as safe for '-C', which lets the dynamic expansion checks work in more situations.
- Added 'none' and 'custom' rlm_rest body types. 'custom' allows sending of arbitrary expanded text and content-type headers.
- Added "config" section to Perl. See mods-available/perl
- Added '%v' which expands to the server version - Patch from Alan Buxey.
- more mis-matched casts are caught in "if" conditions, and descriptive errors are printed.
- Support basic response validation in radclient. This allows administrators to write local test cases for their site-specific configurations.
- Removed radconf2xml and radmin "show client config" and "show home_server config".
- Forbid running with vulnerable versions of OpenSSL. See "allow_vulnerable_openssl" in the "security" subsection of "radiusd.conf"
- Catch underlying "heartbleed" problem, so that nothing bad happens even when using a vulnerable version of OpenSSL.
- Add locking API for sql_null, linelog, and detail modules, which should improve performance and work around issues on platforms with bad file locking.
- Allow DHCP NAKs to be delayed, via setting reply:FreeRADIUS-Response-Delay = 1
- Allow tag and array references anywhere attributes are allowed in "unlang".
- many enhancements to radsniff, including output to collectd, ipv6 support and packet loss statistics.
- Many dictionary updates (ZTE, Brocade, Motorola).
- rlm_yubikey now automatically splits passwords from OTP strings.
- The detail file reader is now threaded by default. This should improve performance reading the files.
- Bug Fixes:
- Fix xlat expression %{attribute[n]} so that it actually returns the n'th attribute instead of the first one.
- Don't parse string on RHS of update {} when using unary operators (!*). The RHS should always be ignored.
- Check for more optional functions in json-c so we can Build with libjson0, which is the name of the json-c package on debian/ubuntu.
- Fix issue in radmin where the main dictionaries would not be loaded which, depending on the configuration, may have caused validation errors.
- Fix handling of "%{reply:3GPP-*}"
- Fix rlm_perl garbage attributes
- Fix oracle SQL queries, which amongst other things still used the old expansion format, which is no longer supported/parsed.
- Truncate long format strings and error markers instead of omitting them.
- Fix multiple attribute parsing in rlm_rest JSON.
- Don't crash in rlm_rest if connect_uri is commented out in the configuration.
- Don't double-escape strings to / from Perl. You may need to double-check your Perl scripts if they use "\" characters. See mods-available/perl for documentation.
- Don't re-run "authorize" if a home server fails to respond.
- Don't append "0x" to hex output of octets types, for xlat expansions. This is the same as v2, and makes it easier to concatenate multiple attributes of type "octets"
- FreeBSD fixes for execinfo linking.
- Make some of the module configurations more consistent.
- Fix corner cases where STDOUT wouldn't be closed in daemon mode.
- Re-enable "update coa" and originating CoA requests.
- Prevent multiple threads writing to the sql query logs.
- Fix zombie period calculation. Closes #579
- Properly parent VPs for talloc, when moving them in map2request.
- Various fixes for talloc parent / child relationships
- Allow rlm_counter to support VSAs.
- Normalize return codes for many modules. "do nothing" is noop, not "ok".
- Run Post-Proxy-Type Fail. Closes #576
- Fix DHCP destination port for replies to relays. Closes #591
- Do-Not-Respond policy works again Closes #593
- Proxy-To-Virtual-Server works again. Closes #596
- Build fixes for ancient systems. Closes #607, #608, #609.
- %{Module-Return-Code} works again. Closes #610.
- Don't increment statistics for Status-Server responses. Closes #612.
- A duplicate request isn't a duplicate if the original one is marked "done". This should lower retransmissions from clients.
- Fix multiple regular expression and glob memory leaks.
- Don't allocate any memory in fr_fault() as it can cause malloc to deadlock.
- Temporarily set dumpable flag before calling system in fr_fault() else the debugger may not be able to attach.
- Set nonblock on all TCP client sockets.
- Fix minor buffer overrun in mschapv2 where some attribute strings were not correctly \0 terminated.
- Fix crash on authentication failure with MIT kerberos.
- Fix code so that octal escape sequences aren't prematurely unescaped in rlm_sql, radclient, preprocess, and other places. This may require configuration changes, as these sequences will no longer need double escaping (\\) of the backslash.
- The connection pools no longer have one connection used twice in certain rare conditions.
- Use self pipes for internal signals. The code was there, but was unused.
- Don't crash if there are outstanding EAP sessions and were told to exit gracefully.
- Fix typo in dictionary.rfc4072
New in FreeRADIUS 2.2.5 (Mar 7, 2015)
- Feature improvements:
- Update dictionary.terena and dictionary.zte.
- Expose server version via %v. Patch from Alan Buxey.
- Forbid running with vulnerable versions of OpenSSL. See "allow_vulnerable_openssl" in the "security" subsection of "radiusd.conf"
- Catch underlying "heartbleed" problem, so that nothing bad happens with EAP even when using a vulnerable version of OpenSSL.
- Bug Fixes:
- Minor changes to build on Sun.
- Print non-ASCII characters as octal in linelog. Closes #578.
- Fix zombie period calculation. Closes #579
- improvements:
- When supported by OpenSSL, allow TLS 1.1 and TLS 1.2 in EAP methods.
- Bug Fixes:
- Fix redundant-load-balance blocks to try other modules in the group if one fails.
- Fix potential read into uninitialised memory in rlm_pap when normalising octet type attributes containing password hashes. This is very unlikely to happen in the wild.
- Don't stop decoding DHCP options if we find a padding option.
- Define sig_t on systems which don't have it. Closes #765
- When clients are loaded from SQL, allow them to be tied to a virtual server.
- Prevent race conditions between fork and wait for child. Patch from James Rouzier.
- Allow UTF-8 characters in SQL.
- Back-port udpfromto fixes from v3