2007/03/25 - 0.9.12c - Fixed security bug in radldap.c by cleaning up the DN-as-pseudo-attribute feature. It contained a dangerous strcpy. Long DN values could cause a buffer overflow in the radldap sub module, possibly allowing arbitrary code originating from the database to be run as the user radldap runs as, which is the same as the user the main server runs as in default installations. - Updated BSD and Solaris makefiles 2006/03/24 - 0.9.12b - Updated the GNU and BSD makefiles to use $(PREFIX) for compiled in base paths, defaulting to /usr/local. If you specify a PREFIX during 'make', you must specify the same one during 'make install'. The INST_PREFIX is a wholly separate feature that specifies the target root directory for the installation only, and is intended for the creation of binary packages and -tarballs. - Fixed LDAP bitrot since 0.9.9: o updated radldap and radldap.attrmap to reflect the moving of the internal int and str attributes from vendor 0 to the special vendor 'any' and the renumbering of 'clearpassword' and 'md5hexpassword' in dict.internal. o Fixed a naming error in sample.ldif and mismatch with the authbind behaviour file - Improved radldap error resilience: if a search results in a low level LDAP error, it will reconnect itself instead of leaving that to the LDAP library. OpenLDAP eg. fails to do that. 2006/03/17 - 0.9.12a First maintenance release for 0.9.12. I expect to do those for a while, as it's the last one that attempts to be compatible with existing installations. 0.9.13 has a big overhaul in some areas of the behaviour language. - Reverted change made to the installation script in 0.9.11, which broke on systems with strictly POSIX versions of 'cp'. - Minor backports from 0.9.13's build files (make dist works more sensibly now; making a preprocessed .i file from a .c file is now possible by simply calling make dir/file.i) - Removed EAPServer and EAP-TLS stuff; it's unusable and doesn't provide useful information as the form EAP work has taken on in 0.9.13 is quite different. 2005/12/8 - 0.9.12 Changes - Altered compiler's search order when encountering a named term. If an attribute context is in scope, the list of constant value names for that attribute is now searched before the list of attributes is searched. This allows Acct-Terminate-Cause == Session-Timeout to work as expected. - Changed the scoping of the attribute context used for finding constant names. Attribute contexts are now only reset when a comma is encountered (not when immediate terms are read). The context still only propagates to lower level subexpressions, not to higher levels. - Made all VM arithmetic and conversions unsigned. Fits RADIUS better, as all IETF integer attributes are defined as unsigned. Wrapping at either side works properly, and we use 2's complement, so no information is lost: (2 - 5) + 6 == 3, and -(2 - 5) == 3, and 2 - 5 == -3 are all still true. - Changed radclient's logging parameters; -q now only suppresses output on stderr and does not influence the log level anymore. That is now solely controlled by -v, which lowers the log threshold for all facilities from ERROR to NOTICE, and another -v from NOTICE to DEBUG. New features - Big modernization of the example configuration/behaviour files for PostgreSQL and MySQL; the good bits of various customer implementations and new features are included there, such as proxying, summary logging, and Message-Authenticator checking. - Added feature in radsql to allow the id of the last inserted record as given by the DBD's last_insert_id function to be returned in an attribute. The format of the bind variable list given by the second 'str' is now 'bindattr,bindattr,bindattr/returned_id_attr[=sequence_name]' Some database drivers /require/ the sequence name to be specified; others ignore it. Too bad, but many behaviour files will already use database-specific SQL statements anyway. - Added feature that allows you to put A/V pairs to be added to each request's request or reply list in the configuration file. Can be used for setting a server key for use in State and Class HMAC checking, and other static values. - Added Request-Number and Server-Pid feature that can help in generating safe session identifiers if the NAS doesn't provide them. The concatenation of Timestamp + Server-Identifier + Server-Pid + Request-Number is *guaranteed* to be unique by your machine's sanity (the PID not wrapping nor OpenRADIUS getting 2^31 requests in one second), whereas 'random 8' merely has a high *probability* of being unique over a number of iterations. Using random for serial numbers is gambling with a high chance of success, not making an effort. There is a difference! - Implemented multi-call transactions. This allows you to ensure that repeated calls to a module end up at the same instance of the module. For example, if you require SQL transactions, you can now run multiple instances of radsql again again, because all calls that are part of a transaction will use the same PID, or return with an error. This is done by allowing module interfaces to specify an attribute where the chosen PID of a module subprocess is stored after a module call. If that attribute is found upon a (subsequent) module call, we route the job to that PID, or continue the job with that attribute set to -1, so that your behaviour file can rollback the transaction, reset the session, or perform other cleanups. This makes transaction-based SQL accounting very scaleable. - Updated radaccttest wrapper to allow setting an Acct-Session-Id attribute using -sess. Bugfixes - Made radsql more friendly towards picky DBD drivers that require a bindvar call for all placeholders, including those that are NULL. This fixes a problem when using newer versions of Postgres. - Made radsql return int=1 when DBI returns '0E0' for 'number of records returned/affected', so that N/A is interpreted as success. This fixes a problem when using newer versions of Postgres. - Made 'make install INST_PREFIX=directory' work as advertised. Should merge Ray Dassen's Debian package soon. - The feature that allows part of the request- and reply list to be initialized in the configuration file now actually works 0.9.11b - Applied missing shoe polish. Was missing from 0.9.11 releases. Seriously, installation and configuration are now as they should be: working out of the box. 2005/11/9 - 0.9.11 (it's an accident, honestly) Changes: - Bumped binary module interface version to 2, because we now send requests with a different magic number (0xbeefdead). Replies are still expected to have 0xdeadbeef as the magic number. The difference will be used to distinguish among replies by modules and messages from modules that are to be decoded using a dictionary and handled as a new 'RADIUS' request, with the response going back to the module. A side effect is that the binary module 'cat' will then not implement 'moveall', but a recursive call of the behaviour file. New features: - Implemented auto splitting of attributes at buildtree stage based on max_size dictionary item property. Currently max_size cannot be set explicitly, but is calculated from the len_size and the rest. - Implemented unary prefix operator 'all' that takes all instances of A/V pairs referenced by its operand and joins them together into one string. Referenced integers are taken as raw bytes in network order. - Implemented unary prefix operator 'random' that generates a number of random bytes matching to the given integer or the length of the string on the right. - Implemented binary operators 'papencrypt' and 'papdecrypt'; this allows full 128-byte PAP password support, contrary to the crude version that used to be in the example behaviour files - Implemented binary operator 'unixcrypt' that performs a crypt(3), based on patch by Geoffrey Hort . Note: Platform makefiles other than Makefile.gnu don't currently set -DHAVE_CRYPT or -lcrypt in S_CF_CRYPT and S_LL_CRYPT. - Implemented binary operator 'hmacmd5' to allow verification of Message-Authenticator in the behaviour file. Added code to sign response packets in Message-Authenticator if it was given on the reply list. - Implemented Message-Authenticator checking in the supplied example behaviour file. - Added missing attributes from RFC2869 to dict.rfc2869. Together with the above two changes, this means that the server is now fully RFC 2869 compliant if you use a suitable behaviour file. - Modernised example behaviour files, taking advantage of new dictionary layout and the and, or, pokedwith, papdecrypt and accept/reject/acctresp operators. Log-Line still only used in behaviour.sample-usersfile and accounts/behaviour for now. - Solved ancient encoder problem that required the reply list to be ordered such that fixed fields (eg. the RAD-* attributes) effectively had to come either all first or last, but not mixed with the normal attributes. (Technical explanation of the feature: if meta_buildtree is about to use a fixed (eg. RAD-Attributes) field as an encapsulating item, it now searches the tree on the current level to see if such an item already exists. If so, that one is used, instead of adding a new instance that would overwrite the old instance of the item during encode). - Allowed source directories to be specified as well as files for build/install - Improved default install permissions; always required manual tweaking and the default set was good for almost nobody. Everything is now mode 644 (755) except for potentially sensitive files (configuration, because holds database passwords; behaviour, because may hold emergency admin credentials; and legacy, because holds shared secrets and user credentials), which are installed 640. It's recommended to set the group of the 640/750 files to 'radiusd' and run the server as a (obviously non-root) user that is a member of that group. Bugfixes: - Fixed suble stdarg-related bug; on AMD64, va_list is a reference to the argument list index instead of the actual index. A braindead way of dealing with register parameters, but allowed by C99. Caused SIGSEGVs at startup. Reported by Jörg Wunsch - Fixed error in radsql that caused it to fail on newer DBI drivers that return undef instead of 0 as the number of columns returned if there is nothing to fetch. - Fixed subtle bug in radclient that caused it not to encrypt PAP attributes correctly if a request authenticator was already given in the query. Does not happen when used for proxying or other normal purposes, but it's a bug nonetheless. - Fixed bug in job_run that would make the server behave unpredictably if your behaviour file doesn't set a Secret on the reply list but still makes the server respond (using halt or its accept, reject, or acctresp variations thereof). - Fixed error in meta_atoord (ASCII to numeric conversion operating on rings) that caused characters in the range 'a' - base to be accepted, where they should be rejected. Most prominent effect is that '\xa\xa' now works and generates '\x0a\x0a' instead of '\xa5xa'. - Fixed small memory leak when papencrypt or papdecrypt is supplied with invalid authenticators/secrets - Fixed bug that prevented syslog facility argument to be handled correctly; patch from Geoffrey Hort - Renamed ARCH variable in build system to ARCHIVE, so that ARCH can hold an architecture name, as is the case on eg. FreeBSD, suggested by Adam Jette 2005/02/20 - 0.9.10 - Fixed compile error of tools/ascenddatafilter on MAC OS X (UINT4) - Added support for pseudo LDAP attribute 'dn' in radldap; this can be used map the distinguished names of returned objects to OpenRADIUS attributes, allowing you to search for an object first and then to bind on it (using a separate instance of radldap). - Added a balanced accounts example setup, see examples/accounts; implements full pre-paid accounts based on time slots and/or metered time. Also supports automatic caller ID locking. - Restructured source tree a bit, renaming raddb to etc and creating an examples directory containing the (not installed) example configurations, to prepare for merging Ray Dassen's contributed Debian package (thanks!) - Corrected error in subdicts/dict.ascend that prevented all integer attributes from working. - Added a few dictionaries, most notably ERX (Juniper), WISPr and Nomadix; updated dict.rfc2869 to be more complete. - Updated the default configuration and behaviour files for ASCII files to use Log-Line and pokeav. Other example files still tbd. - Changed logging for the [recv] and [send] facilities; level notice now gives decoded A/V lists for [recv] and the Log-Line for [send], and level debug provides the packet hexdumps for both and an A/V tree for facility [send]. - Added Log-Line feature: an attribute that gets logged as facility [send] at level notice when the behaviour expression terminates. This removes the need for a logging interface call before every halt or abort. - Added pokeav to support changing attributes or fixed fields in place; together with the new dictionary structure, this allows you to set eg. Message-Authenticator to zeroes before doing a hmac-md5 on the whole packet. No hmac-md5 operator is implemented yet though. - Restructured dictionary to remove the RAD-Length = 20 hack from the dictionary, and to allow access to the whole packet for the purpose of verifying signatures such as RAD-Authenticator and Message-Authenticator (80). - Added asmac operator that converts strings containing MAC addresses to a user defined canonical format. Usage is 'string asmac separator', eg. "0:01:2:03:4:aA" asmac "" -> 0001020304aa or (same) asmac "-" -> 00-01-02-03-04-aa - Updated example behaviour file behaviour.sample-usersfile to show how PAP passwords longer than 16 characters can be handled (0.9.9c) - Fixed problem caused by missing file etc/openradius/legacy/nases (0.9.9c) - Fixed a bug that allowed a module dying at the wrong time to take the server with it. A timespan existed between reaping dead modules and sending data to modules for modules to exit, causing the write to generate a SIGPIPE. This was observed in the field under high load in combination with a constantly restarting module (0.9.9b) - Fixed compiler error that caused it to generate spurious auto conversion opcodes for parentized subexpressions (0.9.9a) 2004/08/xx - 0.9.9 - Added Target-Server attribute to radclient which can be used to specify one or more server:port/secret combos to be used for the query instead of those given on the command line. - Enhanced module interface; the receive window may be larger than 1; requests/replies may use a user defined job ticket attribute to refer to one of several outstanding requests. The module subprocess supervision watchdog now guards the oldest job on the receive queue. - The above two entries are really just a cryptic way of saying that full featured proxying is finally there. - Cleaned up and updated behaviour,configuration.sample-usersfile to demonstrate proxying and adds a Naslist interface that can be used to add NAS-specific attributes (in addition to RADIUS client-specific attributes; there's no difference if there are no proxies in between). - Added an example schema, configuration and behaviour file for PostgreSQL. The configuration- and behaviour files also show the new proxy features. - Added -a flag to radsql to turn autocommit off. Remember to make sure that multiple statements in the same transaction go through the same connection, by defining an interface with only a single 'prog=radsql' line when using this flag. - Improved module interface debugging output - Improved VM error messages (although you had probably rather seen that for the compiler) - Fixed some rare corner cases in module interface and language and some uninitialised structures; valgrind is completely happy now. 2004/01/16 - 0.9.8 - Added pidfile and 'reopen-output-at-HUP' feature by Brian Candler to radlogger for easier log rotation. - Made ascfile more forgiving about carriage returns at the start of lines. - Added 'exists' boolean unary postfix operator, which returns 0 if the left hand side argument is an unresolved attribute reference, and 1 otherwise. This is useful to distinguish between a false (empty or zero) valued attribute and no attribute at all. - Added 'not' and 'no' as synonyms for '!', the boolean not operator. This means you can write "no User-Password exists" and get the expected result. - Added a badly needed convenience feature: three behaviour file operators, accept, reject, and acctresp. These set RAD-Code to the appropriate value and halt, but before doing so, they remove certain A/V pairs from the reply list. This makes it much easier for your behaviour file to guarantee RFC-compliant responses. The rules are as follows: * acctresp deletes all attributes in space RAD-ATR from the reply list, unless the attribute has 'acctresp' set in the dictionary. This is normally only the case for Proxy-State, but you may set it for additional attributes if required. * reject deletes all attributes in space RAD-ATR from the reply list, unless the attribute has 'reject' set in the dictionary. This is normally only the case for Proxy-State and Reply-Message, but you may set it for additional attributes if required. * accept doesn't remove any attributes, it just sets RAD-Code to Access-Accept before halting. Included mainly for completeness. - Updated raddb/subdicts/dict.stdauth to include these flags. - Added SMB (Windows NT) authentication module by Brian McGraw - Made radldap use LDAPv3 instead of LDAPv2 by default, unless -2 is specified. - Increased max. subprocess message size and made subprocess ring buffer always follow chosen size. - Fixed a typo in jobs.c that caused a SIGSEGV on overflowing interface queues. - Fixed bug in radclient that prevented echoing of Radclient-Query-Id in case of succesful queries. - Made radclient not add a CHAP-Challenge attribute if the -p (don't encode given password attributes) is specified - Made radaccttest script accept same optional argument list as radtest (port, cli, dnis, etc). - Added groupname column in MySQL schema. This can be used to add attributes that are specific to a user-, client- or NAS-group, by doing a query in space 'groups' using the groupname values as returned by a query for users, clients or NASes. See the new behaviour.sample-mysql. - Fixed bug in behaviour.sample-mysql that prevented reply attributes returned by the client query from working correctly - Improved usefulness of authentication logging in SQL as done by behaviour.sample-mysql; the result is logged too, for example. - Cleaned up the default behaviour.sample-usersfile a little, and updated it to make use of the new preferred 'or' and 'and' synonyms for || and && and the new accept, reject and acctresp operators. - Added command line tool to precompile Ascend-Data-Filter definitions to binary form suitable for use in the behaviour file or MySQL. - Added Ascend dictionary using FreeRADIUS' dictionary and Brian Candler's free2openradius.pl script 2003/05/02 - 0.9.7 - Added 'radsql' module that supports generic queries to SQL databases, including queries that return FreeRADIUS-style check items or arbitrary A/V pairs. - Added 'delay' module that answers after delaying a number of seconds - Added '-s' (single line) flag to the radlogger module. (from Brian Candler ) - Made some minor improvements to radaccttest - Made radtest pass on the -i (interface) option - Added some optional request attribute args to the radtest script - Added radtest / radaccttest to list of files installed in .../bin - Made radlogger's error messages go to stderr instead of stdout - Fixed permission bits on Makefile.solgcc / sol5gcc - Added -lber to radldap's flags in Makefile.bsd - Updated main README with new build and test instructions 2003/04/03 - 0.9.6: - Added documentation for the client in tools/radclient/README - Added Cistron/FreeRADIUS-compatible radtest wrapper scripts in tools/radclient/radtest and -radaccttest - Changed default timeout in radclient to 5 seconds instead of 2 - Fixed typo in radclient.c that prevented replies to be correctly matched to requests - Added Acct-Status-Types from RFC 2869 (Tunneling) in dict.stdacct - Added Makefile.sol5gcc for Solaris 2.5.1; removes HAVE_VSNPRINTF - Removed unsupported -f (flood) option in radclient for now - Removed some outdated and redundant documentation files from doc/ 2003/02/25 - 0.9.5: - Added versatile radius client in tools/radclient; supports fully asynchronous operation, multiple target servers, the standard OpenRADIUS module interface, encoding of PAP and CHAP passwords, and much more. Can be used for trivial proxying purposes as well. - Fixed segfault when reading dictionary that occurred when an item referenced for adding constant value names is outside the default space. (from 0.9.4c) - Minor fixes for QNX4's Watcom C (which defaults to unsigned char). - Added a portable install script; installation now works hassle-free on Linux, NetBSD, FreeBSD, BSDI, SunOS 5, Solaris 7, Tru64 4.0, 5.1, and QNX 4. No longer overwrites existing configuration directories. - Complete rewrite of the build system, using a single-session make. At the cost of relying more heavily on GNU Make, rebuilds are now always correct, header dependencies are automatically generated and tracked without requiring things like 'make dep', and full builds are faster. (See the paper "Recursive Make Considered Harmful", by Peter Miller). Also fixes inconsistencies in various Make.conf.xxx files. - Changed default configuration directory from ...etc/raddb to ...etc/openradius. This makes it easier to keep it next to other servers and removes the suggestion that the files are compatible. - Ascfile module: multiline records are no longer delimited by blank lines; rather, a new record is started by any non-comment line whose first non-whitespace character is in column 0, for both single and multiline-record files. The distinction is gone, so the -s flag is not needed anymore either. (from Brian Candler ) - Added support for USR's NMC attributes in the dictionary; no actual attributes added yet though. - Fixed partially initialized sockaddr_in structure which caused bind errors on some platforms, particularly OS X. (from 0.9.4b) - Fixed wraparound error in ring buffer scanning functions which sometimes caused apparently random behaviour file compilation errors. (from 0.9.4a) 2002/06/25 - 0.9.4: - Put real, registered OIDs in distributed sample LDAP schema - Fixed CERT CA-2002-06 vulnerability #2 - Fixed conversion operators in language - A number of bugfixes and improvements in the behaviour language: * actually implemented the conversion from string to date; * date + int sets current type to date; * IP address + int sets current type to IP address; * 'and', 'or' synonyms for '&&', '||'; * divide by zero just aborts expression, instead of killing server * fixed '!' behaviour on strings; * made date conversions to/from strings use localtime() instead of gmtime(). Run the server with TZ set to UTC if you want the old behaviour. - Good cleanup of meta_buildtree() 2002/03/22 - 0.9.3: - Fix major bug in example behaviour files involving CHAP. It plainly didn't work at all. - Fixed bug in behaviour.sample-ldap-authbind, which would allow all non-PAP users in (that is, without checking any passwords). - Fix bug in dictionary that caused Accounting signature validation to fail. Corrected mix up of Acct-Authentic and Acct-Authenticator. - Included some test queries for PAP, CHAP and accounting for use with tools/radclient. - Changed server to use raddb as current directory for modules again, so that all configuration files are kept in one place. Modules' own configuration files are stored under raddb/modules now. Also fixes bug when using ASCII clients- and users files. 2002/03/20 - 0.9.2: - Added LDAP schema and ldif file with sample data; updated included example attribute mapping file; added proper example behaviour and configuration files for use with LDAP. - When (auto-)converting a decimal string attribute to a numeric one, and the string is not a valid number, we try to find lookup the value as a named constant for the string attribute. If found, that value is used instead. Handy for doing things like 'Framed-Protocol = str-Framed-Protocol', and allows to use constant names in LDAP different from our own. - Start modules using their own directory as cwd. This allows modules to operate without having absolute paths to their configuration files specified on their command lines. - Added elementary test command line client in tools/radclient. Reads list of ASCII A/V pairs on stdin (formatted as by ASCII modules) and displays pairs in response. Note that all attributes are sent as-is, including User-Password, and the response is not checked in any way, only displayed. Will add PAP/CHAP generator soon. - Plugged a couple of memory leaks; Mozilla's leaky tool doesn't show any now (thanks to dmelomed@devonitnet.com for pointing this out). - Fixed := operator bug that scribbled on memory when the instance assigned to was also referenced on right hand side. - Big makefile cleanup. Supports GNU Make only now. I've given in to the temptations of the slogan "don't bother with portable makefiles, use a portable make instead". Portable makefiles don't seem to be possible at all if you want to add text to variables (for making lists) and want to use a common settings file so you can call make in every subdirectory. - Added dictionary support for MS VSAs. - Merged fixes to make it run on Mac OS X, untested though. - Fixed (harmless) GCC warnings on LP64 platforms such as Alpha. 2001/12/08 - 0.9.1: - Added LDAP module. - Added some informational messages during server startup, to improve usefulness of '-d all', '-d misc -d recv' etc.; some other logging cleanups. - Prepended log lines with internal facility names. - Fixed bug caused by not emptying a channel's receive queue when its associated process dies. This caused the interface that the channel was associated with, not to recover gracefully from a subprocess restart. - Added some radius attributes to 'constants.h' to root and put it in the public domain, to facilitate module writing. - Put the Logger module (bourne shell script) in public domain as well. - BSD/SysV compatibility fixes: Made uint32_t / u_int32_t dependent on Make.conf setting; more Make.conf cleanups/fixes - Added more documentation for all modules. 2001/11/18 - 0.9: - Added a lot of language documentation. - Included the (bare) html files in the doc/html directory and generated the text files from that using lynx. The online docs are generated from them as well. - Some precedence table fixes in langcompile.c; moved 'hex', 'md5' together with other unary prefix operators (still lower because we have string-related ops always lower than integer ones); moved '.' just below lastof / firstof e.d. - Fixed minus handling for auto-radix numbers in meta_atoord; it used to require 0x-55 instead of -0x55. - Made 'statement' operators (interface calls, del, moveall etc). much more sane; they don't set the context to 'none' anymore so you can use them before closing a subexpression with ')'. They all leave something on the stack now. For del, delall and moveall, it's an int that reflects the number of pairs that were deleted resp. moved. - Removed the comma operator hack, which allowed it to be used in context 'none' as well, where it would emit a OP_NOP. Not needed anymore because no operator returns context 'none' anymore (except the comma operator itself, which only still exists as an unary postfix operator that emits OP_POP). - Made the pseudo-check items in dict.internal, that are likely to be returned by ascfile to be compared to request attributes rather than included in the actual reply, begin with a lowercase letter, so that you don't need to use REQ: all the time. Reflected that in example raddb/legacy/users as well. - Added unixpasswd module. Simple, but probably effective enough. - Also because of above, updated behaviour.sample and renamed to behaviour.sample-usersfile. Removed 'old', untested behaviour file. Kept configuration.old around, as it's slightly less misleading, although still just a more or less theoretic example, because most modules mentioned there still aren't written yet. Added DNS resolver example to it. Made behaviour.sample-unixpasswd the default one. - Fixed bug in config.c that caused behaviour file compilation errors to be ignored. - Makefile fixes in raddb/, modules/ and tools/. 2001/11/05 - v0.8: - First public release. 2001/10/09 - v0.7: - First version that actually gets the name OpenRADIUS and a version number, as all of the core functionality is finally implemented.