release_3_0_11

Feature improvements

• "unlang" comparisons of IP addresses to IP prefixes are now detected, and types automatically cast.
• Allow shorthand form of ipv4prefix values e.g. 127/8.
• Add "auto_chain" to raddb/mods-available/eap, tls subsection. This allows the disabling of OpenSSL auto-chaining of certificates. Which might be wrong.
• Added printing of coa and disconnect stats (radmin).
• radclient defaults to expecting Access-Accept responses to Status-Server.
• Updated dictionary.lancom, dictionary.starent.
• Portability fixes for Solaris.
• More errors from ntlm_auth gets passed to MS-CHAP.
• Update abfab-tr-idp virtual server.
• Added "filter_password" in policy.d/filter. This removes embedded zero bytes in User-Password, for compatibility with broken clients.
• The server now issues a WARNING message if duplicate configuration items are found.
• TLS can skip the "verify" section if OCSP returns OK. See raddb/mods-available/eap, "skip_if_ocsp_ok".
• Set TLS-OCSP-Cert-Valid = yes / no / skipped, which is the result from the OCSP check.
• Interoperate with AD and "LmCompatibiltyLevel = 5", by always setting WBC_MSV1_0_ALLOW_MSVCHAPV2 for native winbind in rlm_mschap.
• TTLS and PEAP now require "virtual_server" to be a real server.
• Print WARNING when TTLS or PEAP identities are spoofed or not properly anonymized. See RFC 7542 for requirements.
• Various rlm_python fixes from Herwin Weststrate.
• Allow setting Response-Packet-Type in "Post-Proxy-Type Fail", which is useful when the home server does not respond.
• elasticsearch updates from Matthew Newton

Bug fixes

• Fix issue where field nas_type would not be accessible via the %{client:} xlat, for clients loaded from SQL.
• Fix compatiblity issues with OpenSSL 1.0.2. Ignore calls to msg_callback with 'pseudo' content types.
• Data type "ipv4prefix" is parsed correctly.
• Use correct talloc context in rlm_exec. Fixes #1338.
• Complain in unlang if "else" is used with no previous "if" or "elsif".
• Send accounting status packets to the accounting port. Fixes #1364.
• Print out CFLAGS when doing "radiusd -Xxv"
• Fixed bug with coa/acct stats value #1339. Based on patch from Jorge Pereira.
• Fixes for LEAP proxying. Don't use LEAP!
• Fix issue with "directory already exists" seen when doing make install.
• Fixed bug with radmin related to the option "stats detail "
• Complain if the detail file reader does not have permission to read the detail.work file. Fixes #1398
• Fixed SoH. Attributes were not being copied to the virtual server.
• Used a wrong list to global statistics in "stats".
• Create EAP-PWD identity correctly. Prevents segfaults.
• Dynamically validate authentication types for PEAP and EAP-MSCHAPv2.
• Fix includes in installed headers.
• OpenSSL 1.0.1f and 1.0.1g do NOT calculate TLS 1.2 keys correctly.
  See raddb/mods-available/eap, "disable_tlsv1_2"
• Allow password change to work for MS-CHAP. This requires 'r=0', because password changes are not retries.
• Fix home server fail-over for home servers using TCP and/or RadSec.
• Special characters in expanded regexes are now escaped e.g. User-Name containing '.', and comparing /%{User-Name}/, the '.' will now be escaped. See src/tests/keywords/regex-escape.
• Use correct authentication vector when sending Access-Reject replies for RadSec.
• Set FreeRADIUS-Proxied-To in TTLS again. You should use the "inner-tunnel" virtual server, instead of relying on this attribute.
• Fix debugging constants in rlm_perl. Patch from Herwin Weststrate.
• Add samba-dev / samba4-dev to debian builds so that rlm_mschap can automatically use the new winbind API.
• Automatically skip zero-length attributes when sending packets, instead of erroring out.

release_3_0_10

Feature improvements

• Do more optimization of unlang policies. This makes
  run-time a bit faster.
• Re-name most of the functions in src/lib. Third-party
  module authors will have to do the same.
• More documentation on contributing and how to write
  modules.
• Update radiusd.service for systemd.
• Open IPv6 proxy socket if the server is listening on IPV6
  auth / acct / coa packets.
• Create debian packages for DHCP. Fixes #1125.
• Add more tests for "update" section parsing.
• Update "man" pages.
• Update attributes for Alcatel 7750
• Add dictionary for Boingo Wi-Fi
• Add support for DHCP lease queries.
  See raddb/sites-available/dhcp
• On HUP, check all modules for config files which have
  changed. And only re-load those modules.
• Allow FreeRADIUS-Response-Delay(-USec) to be set for
  RADIUS packets. Patch from Herwin Weststrate.
• Documentation fixes from Alan Buxey and Matthew Newton.
• Update "logrotate" script.
• Added more RFCs to doc/rfc for new standards implemented
  by FreeRADIUS.
• Don't crash when doing "radmin -e "help hup".
  Patch from Matthew Newton.
• The dictionary parser now does more sanity checks, which
  prevents run-time problems with invalid attributes.
• Update debian packages. Patches from Christopher Hoskin.
• Many other debian packaging fixes from Matthew Netwon
  and Herwin Weststrate.
• Add "session-state" to Perl. Patch from Herwin Weststrate.

Bug fixes

• Fix rlm_files so that there are no collisions when loading
  10's of 1000's of users.
• Fix radclient to use our internal v4/v6 parsing functions.
  v6 addresses with ports now work correctly.
• Fix sending/receiving packet messages to wrap v6 addresses
  in square brackets '[]'.
• Check for sasl/sasl.h when building rlm_ldap, and disable
  SASL functionality if unavailable.
• Fix issue which caused a non \0 terminated buffer to be
  assigned to attributes if the value being assigned contained
  an invalid escape sequence.
• Fix deadlock when reconnecting connections in the connection
  pool.
• Fix potential overrun in functions that used fr_utf8_char
  with a non nul terminated buffer.
• Fix decoding issue for Tunnel-Password type attributes
  which were very long. Found by Denis Andzakovic.
• Fix radclient issue with TCP sockets on FreeBSD.
• The server now creates ${run_dir} and ${logdir} directories
  in daemon mode, when running as "root".
• Handle tags when using maps. Fixes #1191.
• Fix crash when CoA packets time out.
• Fix parse error in rediswho
• Fix regex support in SQL radcheck the "users" file and radsniff.
• Register listen xlat earlier, so that it's available when the
  virtual servers are being parsed.
• Parse Ascend-Data-Filter when given as "0x..."
• Print Ascend-Data-Filter correctly. Add test cases for both.
• Allow old-style clients again. They will be disallowed for
  3.1.0 and following.
• Complain instead of crash when "else" and "elsif" are in
  the wrong place.
• Clean up memory more aggressively. This lowers the
  maximum memory used, most typically for TLS based EAP methods.
• Prevent the server from unlinking the control socket of an
  already running instance.
• Fallback to using the configured OCSP URL if one exists, and
  no URL is provided in the certificate.
• Return CoA-NAK if proxying CoA fails. Based on patch from
  Jorge Pereira.
• Lower peak memory usage by decreasing size of internal
  memory pools.
• The control socket is now left in place if a second copy
  of the server is accidentally started.
• Allow virtual attributes in "switch", "case", etc.
  Fixes #1240 and #1265.
• Many spell check / typo fixes in comments and example
  configuration files.
• Better handle multiple DHCP listeners.
• Don't print secrets for old-style realms. Fixes #1267.
• Don't fall through in empty "case" statements.
  Fixes #1274.
• Update EAP-TTLS so that MPPE keys are correctly calculated with TLSv1.2.
• Always delete MS-MPPE-* from the TTLS inner tunnel. This allows
  TTLS / EAP-MSCHAPv2 to work. Fixes #1206.
• Fix off by one error that caused some MSCHAP-Error messages to
  be sent without the password change version (V=3) and the textual
  message component (M=).
• Always include C= V= and M= in MSCHAPv2 errors. RFC 2759 does not say
  that any of these fields are optional, and not including V= caused
  errors with wpa_supplicant.
• Do not include M= in MSCHAPv1 errors. It's not supported.

release_3_0_9

Feature improvements

• Make "pool" configurations more consistent, and
  update documentation for them.
• Move connection pool logic to "most recently started",
  instead of MRU. This should help with pool stability.
• More VSAs for 3GPP2
• Added examples of multi-value attributes to rlm_perl.
• LDAP-Group and SQL-Group attributes are now dynamically
  allocated.
• Only the "sql" module registers SQL-Group. Other instances
  register "instance-name-SQL-Group", similarly to "ldap".
• Unknown attributes are now complained about more often
  when used in unlang statements. e.g. if (Foo-Bar == 3)
  used to be a string to string comparison. It is now a
  parse error.
• Rename RLM_COMPONENT_* to MOD_* in the code.
  This makes many things easier.
• Move to C99 initializers for modules.
• Load modules in raddb/mods-enabled. This allows attributes
  like "LDAP-Group" to be used in the "files" module,
  without explicit ordering or listing in "instantiate".
• Added 'bootstrap' section to modules. Third-party modules
  will need to be updated.
• When adding clients from a DB, add them to a virtual server
  if that virtual server has a "listen" section. Otherwise,
  add the clients to the global list.
• When reading dynamic clients from a file, don't expire them
  if the underlying file is unchanged.
• Allow the server to originate CoA requests from the post-auth
  stage.
• The server creates ${run_dir} and ${logdir} in daemon mode,
  if they do not already exist.
• Add dictionary for Wi-Fi Alliance Hotspot 2.0. The server
  now supports all mandatory and optional attributes for this
  specification.
• HUP now re-loads the configuration only if the files have
  changed. If all files are unchanged, HUP re-opens the
  log file, and does nothing else.
• Much better debug messages for EAP-TLS, including which
  attributes are cached, and when they are retrieved.
• Increase default max_requests to 16384. Memory is cheap now.
• Added "stats memory" commands to radmin. Debug build only.
• Aptilo controller dictionary updates.
• SQL modules now use Acct-Unique-Session-Id everywhere.
• The redis modules are now stable.
• The LDAP module now supports SASL "interactive bind" method.
  This allows Kerberos based administrator and user binds.
• DHCP code is now in libfreeradius-dhcp.
• More DHCP encoding / decoding unit tests.
• rlm_replicate can now be listed in the "accounting" section.
• Better sqlite debugging output.
• Remove "required" option from many sql_ippool directives.
• Set default CA "basic constraints" to "critical". Fixes #1073
• Updates to help / man pages from Jorge Pereira.
• Added more tests.

Bug fixes

• Be more careful about unused config item warnings
  when using -Xx.
• Move more defines to be auto-generated.
• Allow virtual servers in proxy fallback.
• Allow %{module:} to work.
• Don't crash in RadSec. Closes #980.
• Return better errors when a unix group / user
  is not found.
• Re-enable detail module "locking" parameter.
• Don't crash when logging replies from Status-Server packets.
• The couchbase module now uses "update" instead of "map",
  for consistent with the rest of the server. See
  raddb/mods-available/couchbase
• Don't require NT-Password for MS-CHAP password changes.
• Be a bit more careful about decrypting MS-CHAP-MPPE-Key
  attributes. Closes #1013. There is no perfect fix, tho.
• Fix security issues with EAP-PWD.
  See http://freeradius.org/security.html#eap-pwd-2015
• Fix dynamic clients read from SQL in non-debug mode
• MS-CHAP now allows retries (i.e. password change) when
  passwords are expired.
• Allow "user=radiusd" when the server is already user
  "radiusd"
• suid up/down works on non-Linux systems. This means
  that the control socket should have the correct
  ownership.
• Fix issue which caused the server to sometimes have problems
  when a home server was marked zombie.
• Fix format.pl because Perl is now more picky.
• Fix proxy to Packet-Dst-IP-Address, so that it uses the
  correct destination port.
• Fix corner case with cursor functions and removal.
• OpenDirectory fixes and documentation.
• Fix leaks in rlm_redis.
• RFC 6929 "evs" attributes are now encoded / decoded
  properly.
• Fix talloc pool leaks when receiving malformed or
  retransmitted Accounting/CoA requests.
• Printed attributes again use double quotes instead of
  single quotes.
• Set X509_V_FLAG_CRL_CHECK_ALL, and add "check_all_crl"
  to eap.conf. Fixes oCert CVE-2015-4680.
• rlm_expr now errors out correctly on malformed attribute
  references instead of triggering an assert.
• Make "break" work in "foreach" loops
• Allow dynamic expansions to work again in the "hints" file.
• Correct minor typos in comments and examples from Alan Buxy.
• Re-urlencode the path portion of ldapi:// urls before
  passing it to ldap_initialise.

release_3.0.8

Feature improvements

• Allow syslog_severity to be set in rlm_linelog.
• Allow defaults to be set for bulk clients in LDAP and couchbase.
• Updates to dhcpclient. Patches from Nicolas C.
• rlm_mschap now supports direct connections to winbind, which is faster than ntlm_auth. See raddb/mods-available/mschap. Patch from Matthew Newton.
• Recommend /dev/urandom for TLS randomness, instead of ${certdir}/random
• Allow TLSv1 to be disabled via "disable_tlsv1" in tls{}.
• Allow Expanded EAP types where vendor is 0 (IETF) and type is normal EAP type. Supplicants sending Expanded EAP types like this are broken.
• Add support for server side sort controls when searching for user objects in rlm_ldap.

Bug fixes

• Don't complain about "authorize" in "server {}" blocks, but only if there's no "server" block.
• Fix cosmetic issue where debug from the first packet read by a detail reader thread would be emited during config parsing.
• Fix ASSERT on truncated detail packets.
• Don't use main server log functions from within panic_action, as in the case of syslog this would cause deadlocks if the fault was triggered from within a malloc.
• Fix issue in "switch" when "correct_escapes = false". Fixes #911.
• Fix sqlcounter configuration to use "%%b" instead of "%b", otherwise the new syntax validation will fail.
• Allow forward references in configuration items. Modules aren't always loaded in a sane order.
• Fix more escaping issues. Closes #912.
• Decode MAC addresses correctly for VMPS.
• Fix memory leak with TLS connections.
• Fix state machine threading issues for conflicting packets.
• Fix copy_request_to_tunnel issues for tagged attributes.
• Allow "ok" to over-ride "updated" inside of Auth-Type sections.
• Update state machine so that post-proxy is run though child threads for performance, instead of blocking the main thread.
• Allow "netmask" to work again in client definitions.
• Relax restrictions on SQL group queries.
• track outgoing proxy sockets and clean them up more aggressively.
• track proxy statistics, including CoA and Disconnect.
• If radmin has a connection failure when running a command, it re-connects and runs the command again.
• mark home servers "unknown" less aggressively.
• Fix potential SEGV in PostgreSQL driver on error.
• Fix issue where fields like nas_type would not be accessible via the %{client:} xlat, for dynamic clients.
• Set default busy_timeout (of 200ms) in the sqlite driver, so writes don't cause selects to fail in multithreaded mode. This is user configurable, and may be increased if required.
• Convert Password-With-Header attributes to binary (from hex or base64), in the authorize method of rlm_pap.
• Fix invalid assert in state.c, that could cause abort in post-auth.
• Fix double free when -m flag is used, and connection pools are referenced by multiple modules.
• RADIUS over TLS accounting uses the same port as authentication.
• Regularized return codes from radmin commands.
• Fix RHEL spec file so it works correctly for Centos7 which uses systemd, and didn't like the SystemV init script.
• radwho and radlast now have a -D option to load dictionaries
• DHCP packets are no longer checked for duplicates.
• Don't crash in sql module group comparisons in corner case.
• Calculate MPPE keys correctly when using TLS 1.2.
• Fix load-balance sections. Closes #945
• TLS certificates are available again in the post-auth section. They are not available for session resumption.
• radclient encodes CHAP-Password properly when using -c. Closes #955.
• Fix issue in rlm_cache_memcached driver that caused variable length values to be truncated.
• Fix track functionality in detail reader, so it no longer fails with a "Failed marking detail request as done: Bad file descriptor" error.
• Actually add the peer identity (as User-Name) to the inner tunnel in EAP-PWD requests, so it's available for lookups.
• Fixes to PostgreSQL queries. Patches from Santiago Gimeno.

release_3_0_7

Feature improvements

• Allow coa home_servers to be derived from client
  sections if a coa_server section is provided.
• Automatically determine the correct port if no port is
  provided for a home server.
• Allow foreach to operate over lists.
• Add compile time features to ${feature.*} and versions
  of core libraries to ${version.*}. Feature and version
  names match output of radiud -xv. %v is now deprecated.
• Add support for PATCH method in rlm_rest.
• Validate more module xlats on startup, and warn if an
  xlat expansion is found in a double quoted config item
  which will not be expanded.
• Add support for sub-second timeouts in rlm_rest.
• Add support for connection timeouts in rlm_rest.
• Add %{jsonquote:<str>}xlat to escape strings for insertion
  into json documents.
• Add %{ldapquote:<str>} xlat to escape strings for insertion
  into ldap DNs.
• Add %{explode:&ref <char>}, splits value of &ref on
  <char> and creates new &ref type attributes with the
  fragments.
• Allow rlm_ldap to use attribute references for base_dn and
  filter config items. The attribute references are not
  escaped, allowing DNs and filters to be created dynamically.
• Add %{nexttime:[<int>]h|d|w|y} to calculate the number of
  seconds before the next <int>hour(s), day(s), week(s),
  or year(s).
• Allow the left side of update sections to be xlat expansions.
  The result of the expansion is then used to reference the
  attribute to be modified.
• Added %{lpad:&Attribute-Name 7 x} and rpad. These produce
  fixed-width output strings, with padding to the left (lpad)
  or the right (rpad).
• For some SQL drivers (MySQL, sqlite) distinguish between
  constraints violations (on insert), invalid queries, and
  server errors, and return noop, invalid, and error respectively.
• Call SHOW WARNINGS in the MySQL driver and write them to
  the request log, if libmysqlclient indicates warnings are
  available on the server.
• Forbid the creation of Vendor-Specific for non-standard
  VSAs. Use Attr-26 = 0x... instead.
• Make dhcpclient work with raw sockets and various other
  improvements - Contributed by nchaigne
• Add support for SSHA2 - Contributed by PDD.
• Add perle dictionary - Contributed by Hachmer
• Modernise init scripts for RHEL, SUSE and Debian.
• radmin now tracks the return code of commands, and exits
  with status "1" if any command failed to execute.
• radmin now sends error messages from the server to
  stderr, instead of to stdout.
• radmin now looks for sockets matching it's UID and GID,
  rather than just always using the first one it finds.
• radmin can how delete clients which are tied to a listener.
• Moved RADIUS attribute definitions to src/include/rfc*.h
• Move to talloc pools for requests. For in-memory tests
  (default config, 'users' file), performance increases by 30%.
• In rlm_ldap allow sasl_mech to be specified for admin and
  user binds. Only non-interactive mechs (like EXTERNAL)
  are currently supported.
• Remove support for ephemeral RSA keys. They were "export only",
  and should not be used by anyone.
• Syntax errors in the "users" file now produce better
  error messages.

Bug fixes

• Fix issues parsing LDAP hostnames with non-standard ports.
• Fix issues with realms containing regular expressions.
• Allow unary negation before parantheses in rlm_expr.
• Fix infinite loop in kevent event loop code. Issue only
  presented on FreeBSD.
• Be more careful to define Auth-Types before loading modules.
• Link libfreeradius-radius against OpenSSL too, to avoid
  multi-version symbols in SSL libraries.
• When rlm_ldap rebinds a connection, it should use bind
  credentials from the module that created the connection
  pool, not credentials from the module referencing it.
• Empty server config pairs should be allowed in rlm_ldap
  instances that reference another module's connection pool.
• Mark rlm_always as huppable, so its rcode can be changed
  via radmin (allows policy toggles).
• Emit warnings when ignoring user configured pool values.
• Fix issue that would cause radclient to complain
  intermittently about differing numbers of filters and
  requests.
• Fix cosmetic issues in connection pool logging, that made
  it appear as if the same connection was being opened
  multiple times.
• Fix threadsafety issues in SQL drivers, where a static
  buffer was used to store error messages.
• Log RERROR, RWARN, RINFO to the global log if request
  logging is not enabled.
• Link to libldap instead of libldap_r. libldap_r
  is not supported for use by projects outside of OpenLDAP.
• Set connection timeout correctly in rlm_sql_mysql.
• Build with older versions of libcurl, and use CFLAGS from
  curl-config.
• Honour Packet-Src-Port and Packet-Src-IP-address in radclient.
• Initialise ldapai_info_version field, so libldap will report
  its vendor and version.
• Fix log rotation scripts by using the copyrotate option.
• Fix issue that caused opening control sockets to always
  fail on non-Linux systems, if a user or group was set.
• Save Session-State after proxying.
• Additional fixes for reading CoA/DM requests from detail
  files.
• Create dynamic clients if the dynamic clients virtual server
  returns ok or updated. Emit useful messages for other codes.
• Compile bare "authorize" statements, and issue errors saying
  using them isn't a good idea.

release_3_0_6

Feature improvements

• radmin / raddebug conditional errors are printed
  to the output, instead of being discarded.
• raddebug will exit if condition set with -c was invalid.
• radmin auto-reconnects if the connection to the server
  has gone away.
• rlm_cache now has submodule support. See
  raddb/mods-available/cache
• New memcached driver for rlm_cache. See
  raddb/mods-available/cache
• Add support for &Attribute-Name[*] in conditions.
  See "man unlang" for details.
• Add &Attribute-Name[n] which gets the last instance
  of an attribute e.g. Module-Failure-Message[n].
• Allow for redundant string expansions. See the
  "instantiate" section of radiusd.conf.
• When checking IP addresses in conditions, make the
  right side be parsed as an IP prefix.
• Support JIT compilation of compiled regular expressions
  when built with libpcre.
• Support named capture groups with "%{regex:}"
  when built with libpcre.
• Increase regular expression capture groups from 8 to 32.
• Emit error markers for badly formed regular expressions.
• Allow 'm' flag to enable multiline mode in regular
  expressions.
• Support limited implicit attribute conversion in update
  sections.
• Support casting between IPv6 and IPv4 where the IPv6
  address has the v4/v6 mapping prefix (::ffff:).

Bug fixes

• PEAP works again. As does proxying EAP-MSCHAPv2
  from inside of a PEAP tunnel.
• "group" is allowed inside of "instantiate" sections.
• update disconnect {} with
  disconnect:Packet-Dst-IP-Address now works correctly.
• Regular expression comparisons of non string attributes
  are now disallowed in the files module. Previously
  they would silently fail or produce undefined behaviour.
• Fix parsing of old regular expressions. Closes #842
• Fix off by one error in ascend filters. Closes #843.
• Handle NT-Hash in rlm_pap. This allows passwords to
  have backslashes in them.
• Fix infinite loop on "Fall-Through = yes" when
  processing SQL groups.
• Correct the check of SQL query return code.
• Run "Post-Auth-Type Reject" if the request was rejected
  in post-auth
• Write "Login OK" only if the post-auth section passed.
• Create TLS-Cert-* certificates, even when EAP session
  caching is disabled.
• Finalize the "correct_escapes" with many more tests.
• Move to the new OpenLDAP libldap API, fixes more issues
  with binary values.
• Fix potential memory corruption in rlm_ldap if start
  connections were set to 0, and the server was running
  in threaded mode. The fix is a workaround for an issue
  in libldap and was suggested by Howard Chu.
• Give parse errors on "%{...", without the closing brace.
• Allow spaces in certificate passwords for build rules
  in raddb/certs//
• Make all regular expression evaluation binary safe.
  Where that's not possible, emit an error if the pattern
  or subject contains an embedded null byte.
• Fix various issues around masking IPv6 addresses.

release_3_0_5

Feature improvements

• Large update to Huawei dictionary.
• Added dictionary.rfc7155
• Regular expressions like /%{User-Name}/ are now parsed
  and validated when the server starts.
• All configuration items which are dynamically expanded
  are now parsed and validated when the server starts.
• %{expr:...} expressions can now do bit shifting and more.
  See raddb/mods-available/expr.
• The detail file reader can now track packets which have
  had replies, so they are never re-transmitted. See
  raddb/sites-available/buffered-sql, the "track" config item.
• CoA and Disconnect packets can now be sent to a specific
  home server by setting control:Packet-Dst-IP-Address and
  (optionally) control:Packet-Dst-Port.
• Allow CoA and Disconnect packets to be read from the
  detail file.
• Allow LDAP to specify arbitrary attributes for dynamic
  clients.
• Convert all unused attributes in the control: list to config
  pairs in dynamic clients. This allows arbitrary client
  attributes to be set for dynamic clients too.
• rlm_couchbase now supports bulk loading of clients on startup
  in a similar way to rlm_ldap. Contributed by Aaron Hurt.
• Allow one level of backslashes (finally). See radiusd.conf,
  "correct_escapes" setting.
• Rename dictionary.redback to dictionary.ericsson.ab
• Add --disable-openssl-version-check option to configure.
  So vendors can disable the check. Patch from
  Nikolai Kondrashov.
• Do context-specific indenting in debug messages. This makes
  the debug output easier to read.
• Make configuration a separate RPM, just like for Debian.
• better decoding of unknown VSAs
• When supported by OpenSSL, allow TLS 1.1 and TLS 1.2
  in EAP methods.
• Allow multiple new connections to be spawned simultaneously
  in the connection pool, to cope with spikes in traffic.
• Document retry_delay in connection pools.
• Allow checksimul in rlm_couchbase.
• Use kqueue on systems which support it. This allows for
  better scaling when using many sockets.

Bug Fixes

• Parse list qualifiers in generic LDAP 'valuepair_attribute'
  attributes correctly.
• Fix issue where prefix length would be ignored for dynamic
  or static clients if the address matched INADDR_ANY
  (0.0.0.0).
• Allow null user object filter in rlm_ldap, it's valid to
  specify a complete object DN and use the base scope.
• Don't SEGV if a received attribute value in a JSON structure
  is null, or a value can't be stringified.
• Don't assert if the server returns a JSON content-type and
  the server hasn't been built with support for JSON.
  Closes #808.
• Set CURLOPT_NOSIGNAL to prevent curl from handling signals
  and causing a longjmp error when the server was running with
  threads.
• Allow tabs after attribute names in the "users" file.
  Closes #796.
• Free unknown DICT_ATTRs. Closes #795
• Handle unknown attributes in the conditions and "update"
  sections. e.g. Attr-1.2.3.4 = foo.
• Use correct array size for MS-CHAP new password.
• In rlm_rest, check for older versions of libraries at start
  time, rather than when a packet comes in.
• Don't call detach on parse error in rlm_perl. Closes #802.
• Integer fixes for big-endian systems. Closes #803.
• Don't optimize %{Packet-Src-IP-Address}. Closes #804.
• dhcpclient loads dictionaries correclty. Closes #805.
• double quotes are no longer escaped in single-quoted
  strings. e.g. 'foo "hello" bar'.
• Fixes for proxying to virtual servers broke the detail file
  reader. Now they both work.
• Typos and fixes from Nikolai Kondrashov.
• Fixes to OpenSSL version checks, for cross-platform issues.
• cppcheck fixes from Herwin Weststrate.
• Fix build for OSX Yosemite
• Merge DHCP sub-options. Closes #812.
• Fix decoding of Starent attributes.
• When a module asks for a connection, don't return idle
  connections.
• LDAP connection timeouts will now retry, instead of failing.
• Prevent race conditions between fork and wait for child.
  Patch from James Rouzier.
• Fix triggers for connection pools. Patches from
  Nikolai Kondrashov.
• Fix SEGV when comparing non string type check items.
• Build with newer versions of libmysqlclient.
• make the %{escape:} and %{unescape:} xlat functions UTF8
  safe.
• Don't escape UTF8 chars in SQL query strings.
• Fix issue in cached LDAP group comparisons, which caused
  checks to sometimes fail.
• Fix use after free issue in unlang switch evaluation.
• Respect operators in rlm_cache when merging into the current
  request.
• Update Cache-Entry-Hits each time rlm_cache is called.
• Produce WARN messages if SQL queries are empty strings.
• Fix invalid assertion when proxying CoA requests.
• Allow empty strings in "case" statements. Closes #836.
• Normalize escaping for string expansions. i.e. don't do
  double escaping in rare situations.
• Normalize LDAP escaping. LDAP servers have multiple ways
  to escape things, so the data has to be normalized before
  we can compare two LDAP DNs.
• Don't go to high debug level if we're proxying inner EAP
  as EAP. Closes #839.
• Fix rlm_rest state handling. Closes #835.

release_3_0_4

Feature improvements

• Home server "response_window" can now take fractions of a second. See proxy.conf.
• radmin now supports "show module status", as the counterpart to "set module status"
• Added dictionary ericsson.packet.ccore.networks, bluecoat, citrix, compatible, riverbed, ruckus, and RFC 7268.
• Add %{tag:} expansion to get the tag value of an attribute.
• Report 'application_name' in connections to PostgreSQL servers. FreeRADIUS connections will now appear as 'FreeRADIUS - ' in pg_stat_activity.
• All config item fields are now type checked at compile time to prevent issues similar to #634 occuring again.
• Modify pairparsevalue to deal with embedded NULLs better, and use the binary versions of attribute values in rlm_ldap.
• "ipaddr" will now use v6 if no v4 address is present. You should use "ipv4addr" or "ipv6addr" to force v4/v6 addresses.
• The above applies to "listen", "home_server", and "client" sections.
• "client" sections will allow "ipaddr = 192.192.0/24". The old "netmask" is still accepted, but the new format is preferred.
• Allow custom HTTP headers to be set for rlm_rest requests using control:REST-HTTP-Header (attributes consumed after use).
• Extend format of %{rest:} expansion to allow HTTP method and POST data to be specified e.g. %{rest:POST http://example.org/api foo=bar&baz=boink}.
• Add %{hmacsha1:&data &key} and %{hmacmd5:&data &key} expansions for signing data in requests.
  rlm_cache now consumes its control attributes to make runtime configuration easier.
• Add control:Cache-Read-Only which when set to 'yes' will make the cache module merge existing cache data, but not create new entries.
• Add %{unescape:} and %{urlunquote:} expansions to reverse escaping and urlquoting.
• Add support for aliases in rlm_ldap.
• Add support for connection pool sharing to all modules that use the connection pool (pool = ).
  "tls" sections now have a "psk_query" configuration item, for dynamic queries to discover a key from a PSK identity.
• Preliminary support for EAP channel bindings.
  Foundational work for dynamic home servers. They do not yet work, but this is now only a matter of updating the "realm" module in a future release.
• Support &attr[*] syntax to copy all instances of an attribute when used with the += operator in an update section. May be qualified with a tag.
• The logintime and expiration modules can now be listed in the post-auth section. This makes some configurations simpler.
• Allow comparison of integer attributes of different sizes, without requiring a cast.
• rlm_sqlippool is now IPV6 capable. Set "ipv6 = yes" to get Framed-IPv6-Prefix returned. The SQL queries have NOT been updated. Please submit patches.
• The debian build now checks for the OpenSSL package with the heartbleed fix, and if found, sets: allow_vulnerable_openssl = 'CVE-2014-0160'
• allow bootstrap from multiple files in sqlite driver.

Bug Fixes

• make case-insensitive regular expressions work again, and add tests for them.
• A few more talloc parenting issues
• Fix delayed proxy reply handling. Closes #637
• Fix OpenSSL initialization order when using RADIUS/TLS. Fixes #646
• Don't double-quote strings in debugging messages
• Fix foreach / break. Fixes #639
• Chargeable-User-Identifier, ADSL-Agent-Circuit-Id and ADSL-Agent-Remote-Id should be "octets" types in the default dictionary.
• Fix typo in mainconfig. Fixes #634
• More rlm_perl fixes. Fixes #635
• Free OpenSSL memory on clean exit.
• Fix [0] !* ANY - Was removing all instances of
• Fix case where multiple attributes were returned from RHS of mapping, as with rlm_ldap. Fixes #652
• Fix corner case in cursor where using fr_cursor_next_by_da after calling fr_cursor_remove may of resulted in a read of uninitialised memory.
• Don't SEGV if all connections to a database server go away. Fixes #651.
• Fix issue where -= was not removing tagged instances of equal to (only untagged).
• Fix issue where tag values were not being set on attributes created with unlang/ldap update blocks.
• Create rlm_sqlcounter attributes as integer64 types instead of integer types, so large counter values can be specified.
• Fix issue where specifying a dynamic client IP addresss using FreeRADIUS-Client-IPv6-Prefix or FreeRADIUS-Client-IP-Prefix may have caused a validation error.
• Don't print two "&" for messages about attribute or list references in debug output.
• Fix urlquote and escape to encode Unicode characters correctly.
• Fix redundant-load-balance blocks to try other modules in the group if one fails.
• Fix issue with rlm_pap password normalisation where 'known good' password strings stored in octets type attributes, would be sometimes misnormalised as base64.
• Don't stop processing DHCP options if we find a 0x00 padding option.
• Fix issue where modifying the value of an attribute created from a template with a literal value, may have resulted in the template literal being freed.
• Fix parenting issues in tls code which may have resulted in memory corruption and crashes.
• Fix issue in radsniff where writing to PCAP files and using -R response filters, where the requests would still be written to the PCAP for non matching responses.
• Define __APPLE_USE_RFC_2292 so that the server builds with IPv6 support on OSX.
• Fix LDAP group lookups for named rlm_ldap instances. Note that attribute references should be used when checking LDAP-Group attributes. e.g. if (&LDAP-Group == 'foo').
• Delayed attribute references can now be used in unlang existence checks. i.e. if (&Attribute-Name) { ... }
• Fix issues in EAP-PWD. CVE-2014-4731, CVE-2014-4732, and CVE-2014-4733. There is no external authentication bypass.
• Fix a number of uses of the talloc parent/child reference.
• Release connection used for reading bulk clients in rlm_ldap.
• rlm_rest is now fail-safe if it's used without any configuration
• Pull in build fixes for FreeBSD from ports.
• Fix error in sqlite postauth query
• Evaluate argument to "switch" statements once, instead of for each "case" statement.
• Define sig_t on systems without it. Closes #765.
• Fix boundary issue with rlm_rest. Closes #768
• Optimize "%{Attribute-Name}" in comparisons only if the dictionary types match.
• Don't do chmod() in rad_mkdir() if the directory already exists. We might not have permission to change it.
• Use getpwnam_r() and getgrnam_r() on systems which support it. Closes #775.
• Clients loaded from SQL are now tied to the "listen" section of a virtual server, instead of being global.
• Check for -lpcre. The system might have pcre.h without -lpcre.
• When proxying to a virtual server, use the proxy_reply instead of ignoring it.
• Fixed typos in DHCP SQL IPPool.
• Fix crash when passing multiple arguments to Perl xlat.

release_3_0_4_rc2: A number of fixes (mainly comments) of rlm_expr

* Update the urlunquote example to make it copy-pastable by doubling the %. Add a comment why
* Typo fix: s/wont'/won't/
* Removed UNUSED macro for *instance in (un)escape_xlat, it is being used here
* Fix the unuescape example, the name here should be unescape, not escape
* Added a ":" after "Example" in tolower. This makes it easier to find the examples in this file, since all other examples did this.

release_3_0_4_rc1

Merge cache changes from master