- OpenSSL was updated to 3.1.4 in CU181 and to 3.2.1 in CU183 but in both cases freeradius
was not incremented to cause it to be shipped.
- This patch increments the freeradius PAK_VER to ensure it will be shipped.
Fixes: Bug#13590
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 3.0.26 to 3.2.3
- Update of rootfile
- Changelog
3.2.3
Feature Improvements
Add "max_retries" for connection pools. Fixes#4908. Patch from Nick Porter.
Update dictionary.ciena, dictionary.huawei, dictionary.wifialliance and
dictionary.wispr; add dictionary.eleven.
You can now list "eap" in the "pre-proxy" section. If the packet contains a
malformed EAP message, then the request will be rejected The home server
will either reject (or discard) this packet anyways, so this change can only
help with large proxy scenarios.
Show warnings if libldap is not using OpenSSL.
Support RADIUS/1.1. See
https://datatracker.ietf.org/doc/draft-dekok-radext-radiusv11/ Disabled by
default, can be enabled by passing `--with-radiusv11` to the configure
script. For now, this is for testing interoperability.
Add extra sanity checks for malformed EAP attributes.
More TLS debugging output.
Clear old module instance data before HUP reload. Avoids burst memory use
when e.g. using large data files with rlm_files. Patch from Nick Porter.
`rlm_cache_redis` is now included in the freeradius-redis packages.
Separate out python2/python3 in Debian Packages. Previously python 2 or 3 was
built depending on the system default which led to confusion. We now build
both freeradius-python2 and freeradius-python3 packages where possible.
Bug Fixes
Don't leak MD contexts with OpenSSL 3.0.
Increase internal buffer size for TLS connections, which can help with
high-load proxies.
Send Status-Server checks for TLS connections.
Give descriptive error if "update CoA" is used with "fake" packets, as it
won't work. i.e. inner-tunnel and virtual home servers.
Many small ASAN / LSAN fixes from Jorge Pereira.
Close inbound RADIUS/TLS socket on TLS errors. When a home server sees a TLS
error, it will now close the socket, so proxies do not have an open (but
dead) TLS connection.
Fix mutex locking issues on inbound RADIUS/TLS connections This change avoids
random issues with "bad record mac".
Improve REST encoding loop. Patch from Herwin Weststrate. Closes#4950.
Correctly report the LDAP group a user was found in. Fixes#3084 Patch from
Nick Porter.
Force correct packet type when running Post-Auth-Type. Helps with #4980.
Fix small leak in Client-Lost code. Patch from Terry Burton. PR #4996.
Fix TCP socket statistics. Closes#4990.
Use NAS-Port-Id instead of NAS-Port during SQL simultaneous-use checks. Helps
with #5010.
3.2.2
Feature Improvements
The "configure" process now gives a much clearer report when it's finished.
Patches by Matthew Newton.
Fallback to "uname -n" on missing "hostname". Fixes#4771.
Export thread details in radmin "stats threads". Fixes#4770.
Improve queries for processing radacct into periodic usage data Fix from Nick
Porter.
Update dictionary.juniper.
Add dictionary.calix.
Fix dictionary.rfc6519 DS-Lite-Tunnel-Name to be "octets".
Update documentation for robust-proxy-accounting, and be more aggressive
about sending packets.
Add per-module README.md files in the source.
Add default Visual Studio configuration for developers.
Postgres can now automatically use alternate queries for errors other than
duplicate keys.
%{listen:TLS-PSK-Identity} is now set when using PSK and psk_query This helps
the server track the identity of the client which is connecting.
Include thread stats in Status-Server attributes. Fixes#4870.
Mark rlm_unbound stable and add to packages. Patches by Nick Porter.
Remove broken/unsupported Dockerfiles for centos8 and debian9.
Ensure Docker containers have stable uid/gid. Patches from Terry Burton.
Bug Fixes
Preliminary support for non-blocking TLS sockets. Helps with #3501.
Fix support for partial certificate chains after adding reload support.
Fixes#4753.
Fix handling of debug_condition.
Clean up home server states, and re-sync with the dictionaries.
Correct certificate order when creating TLS-* attributes Fixes#4785.
Update use of isalpha() etc. so broken configurations have less impact on the
server.
Outgoing TLS sockets now set SNI correctly from the "hostname" configuration
item.
Support Apple Homebrew on the M1. Fixes#4754.
Better error messages when %{listen:TLS-...} is used.
Getting statistics via Status-Server can now be done within a virtual server.
Fixes#4868.
Make TTLS+MS-CHAP work with TLS 1.3. Fixes#4878.
Fix md5 xlat memory leak when using OpenSSL 3. Fix by Terry Burton.
3.2.1
Feature Improvements
Add dictionary.ciena, dictionary.nile, and DHCPv4 dictionaries,.
Add simultaneous-use queries for MS SQL.
Add radmin command for "stats pool <module-name>" Which prints out statistics
about the connection pools.
Client statistics now shows "conflicts", to count conflicting packets.
New optional "lightweight accounting-on/off" strategy. When refreshing
queries.conf you should also add the new nasreload table and corresponding
GRANTs to your DB schema.
Add TLS-Client-Cert-X509v3-Certificate-Policies, which helps with Eduroam.
Suggested by Stefan Winter.
Allow auth+acct for TCP sockets, too.
Add rlm_cache_redis. See raddb/mods-available/cache for details.
Allow radmin to look up home servers by name, too.
Ensure that dynamic clients don't create loops on duplicates Reported by Sam
Yee.
Removed rlm_sqlhpwippool. There was no documentation, no configuration, and
the module was ~15 years old with no one using it.
Marked rlm_python3 as stable.
Add sigalgs_list. See raddb/mods-available/eap. Patch from Boris Lytochkin.
For rlm_linelog, when opening files in /dev, look at "permissions" to see
whether to open them r/w.
More flexibility for dynamic home servers. See
doc/configuration/dynamic_home_servers.md and raddb/home_servers/README.md.
Allow setting of application_name for PostgreSQL. See mods-available/sql.
Bug Fixes
Correct test for open sessions in radacct for MS SQL.
The linelog module now opens /dev/stdout in "write-only" mode if the
permissions are set to "u+w" (0002).
Various fixes to rlm_unbound from Nick Porter.
PEAP now correctly runs Post-Auth-Type Accept.
Create "TLS-Cert-*" for outbound Radsec, instead of TLS-Client-Cert-*
Fixes#4698. See sites-available/tls, and fix_cert_order.
Minor updates and fixes to CI, Dockerfiles and packaging.
Fix rlm_python3 build with python >= 3.10. Fixes#4441.
3.2.0
Feature Improvements
All features from 3.0.x are included in the 3.2.x releases. In addition:.
Add 'reset_day' and '%%r' parameter for rlm_sqlcounter to specify which day
of the month the counter should be reset.
Partial backport of rlm_json from v4, providing the json_encode xlat See
mods-available/json for documentation.
Support for haproxy "PROXY" protocol See sites-available/tls,
"proxy_protocol" and doc/antora/modules/howto/pages/protocols/proxy/.
Support for sending CoA-Request and Disconnect-Request packets in "reverse"
down RadSec tunnels. Experimental for now, and undocumented.
It is now possible to run a virtual server when saving / loading TLS cache
attributes. See sites-available/tls-cache for more information.
Removed the "cram" module. It was undocumented, and used old and insecure
authentication methods.
Remove the "otp" module. The "otpd" program it needs is no longer available,
and the module has not been usable since at least 2015.
All features from 3.0.x are included in the 3.2.x releases.
3.2.0 requires OpenSSL 1.0.2 or greater.
Bug Fixes
All bug fixes from 3.0.x are included in the 3.2.x releases.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
There are no functional changes in these files, but they are however
linked against OpenSSL 1.1.1 and need to be re-shipped before we remove
the legacy library.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Since we have extended services.cgi that it reads the Services field
from the Pakfire metadata, we will need to make sure that that metadata
is going to be on those systems.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Historically, the MD5 checksums in our LFS files serve as a protection
against broken downloads, or accidentally corrupted source files.
While the sources are nowadays downloaded via HTTPS, it make sense to
beef up integrity protection for them, since transparently intercepting
TLS is believed to be feasible for more powerful actors, and the state
of the public PKI ecosystem is clearly not helping.
Therefore, this patch switches from MD5 to BLAKE2, updating all LFS
files as well as make.sh to deal with this checksum algorithm. BLAKE2 is
notably faster (and more secure) than SHA2, so the performance penalty
introduced by this patch is negligible, if noticeable at all.
In preparation of this patch, the toolchain files currently used have
been supplied with BLAKE2 checksums as well on
https://source.ipfire.org/.
Cc: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Acked-by: Michael Tremer <michael.tremeripfire.org>
Bumping across one of our scripts with very long trailing whitespaces, I
thought it might be a good idea to clean these up. Doing so, some
missing or inconsistent licence headers were fixed.
There is no need in shipping all these files en bloc, as their
functionality won't change.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
* Add a Summary and Services field to all pak lfs files
* Replace occurances of INSTALL_INITSCRIPT with new INSTALL_INITSCRIPTS
macro in all pak lfs files.
Signed-off-by: Robin Roevens <robin.roevens@disroot.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
- Added --without-rlm_python to ./configure to allow running without python2
- Updated rootfile
- Updated patch for preventing cert generation during buildtime to work with new
version of source code
- Update from 3.0.21 to 3.0.23
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Acked-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
we have no supported armv5tel board left so we can switch to the higher
arch. This now can use the vpu (still in softfp calling convention to
not break existing installations.)
this fix many compile problems, also boost is now working again.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
The package requires more libraries than libtalloc from
the samba package and therefore we need this dependency
again.
Fixes: #12538
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Not sure why this has ever been there. This simply makes it
nicer to read and edit because we can have line-breaks now.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
freeradius seems to care about which version it has been
compiled with and refuses to start. This switch disables
this behaviour.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Most of these files still used old dates and/or domain names for contact
mail addresses. This is now replaced by an up-to-date copyright line.
Just some housekeeping... :-)
Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
