We are pleased to announce the release of Radiator version 4.23
This version contains security fixes for EAP-pwd authentication and
certain TLS configurations. Other changes include new features,
enhancements and bug fixes. See below for the details.
As usual, the new version is available to current licensees
and evaluators from:
https://www.open.com.au/radiator/downloads.html
Licensees with expired access contracts can renew at:
https://www.open.com.au/renewal.html
An extract from the history file
https://www.open.com.au/radiator/history.html is below:
-----------------------------
Revision 4.23 (2019-04-10) security fixes, new features, enhancements
and bug fixes
Selected compatibility notes, enhancements and fixes
Improved AcctLogFILE to support JSON.
Security fixes for EAP-pwd authentication and certain TLS
configurations. OSC recommends all users to
review OSC security advisory OSC-SEC-2019-01
https://www.open.com.au/OSC-SEC-2019-01.html
Known caveats and other notes
TLSv1.3 is not enabled by default for TLS based EAP methods.
TLSv1.3 is not enabled by default for Stream based classes, such as RadSec.
Detailed changes
Fixed EAP-pwd implementation security bugs reported by Mathy Vanhoef.
Added an example of using SupplementaryGroups option in systemd goodies
files radiator.service and [email protected]. This parameter is
typically used with AuthBy NTLM to grant access to winbindd socket.
Added support for experimental parameters EAPTLS_CRLCheckUseDeltas and
TLS_CRLCheckUseDeltas. These enable Delta Certificate Revocation list
support for TLS based EAP and Stream classes, such as EAP-TLS and
RadSec. Added test CLRs to Radiator demo ceritificates. See Radiator
reference manual for the details.
Fixed a crash in EAP-TLS and TLS based Stream classes, such as RadSec,
when Radiator tried to log information about a certificate during
specially configured verification. Certificate is not made available by
TLS library in all verification failure cases. Reported by Stefan Winter.
AuthGeneric.pm updates: MSCHAPv2 was incorrectly logged as misspelled
when checking AuthenProto configuration parameter. Addressed a number of
Perl::Critic reports.
AuthBy RADIUSBYATTR HostParamDef now accepts 0 as a possible default value.
Update test.pl to clean up temporary files after finishing.
DiaClient inheritance was updated to allow better log message control.
Updated diapwtst respectively. Addressed a number of DiaClient related
Perl::Critic reports.
Fixed some log messages that did not correctly interpolate variables.
Addressed other minor results reported by Perl::Critic.
Added RAdmin + TOTP configuration sample radmin_totp.cfg in goodies.
JSON::MaybeXS was mistakenly added as a JSON backend. However it is a
wrapper for backends so it is now removed from the list of JSON backends.
Peer certificate issuer, subject and serial number in decimal and
hexdecimal format is now logged on debug level when Radiator verifies
peer certificate during EAP-TLS authentication or TLS based stream
connection. This information is logged during verify callback when the
TLS/SSL library is doing certificate verification. Logging is now done
during successful and failing verification. Previously only some
certificate information was logged.
Updated dictionary. Added 6 new VSAs for VENDOR 388 Symbol. For VENDOR
4329 Siemens added Siemens-AP-Mac as a new VSAs and
Siemens-Ingress-RC-Name and Siemens-Egress-RC-Name as aliases for
Siemens-Ingress-RC and Siemens-Egress-RC.
LogSYSLOG did not log Trace 5 level messages but printed out warnings
about invalid level/facility to STDERR. Reported by Paul Dekkers.
Requests without User-Name were triggering warnings that were enabled in
Radiator 4.21. Reported cases now avoid warnings, and usernames that are
empty instead of not defined are now more clearly logged. Similar work
enabling more warnings continues and any reports are welcome. Cases now
fixed were reported by Paul Dekkers and Roland Rosenfeld.
When malformed attributes are received, sender IP address and port are
now included in the message. Suggested by Paul Dekkers.
Support configuration parameter AddToRequestIfNotExist added to AuthBy
RADIUS, AuthBy RADSEC, and AuthBy DNSROAM.
Fixed make zipdist and other non-default targets from failing.
Unit test name cleanup and better separation between tests.
generate-totp.pl and nthash.pl goodies utilities no longer need Radiator
modules. They now require Net::SSLeay and Digest::MD4, respectively.
diapwtst now searches its parent directory for Radius-modules. This
allows diapwtst to be called in similar fashion as radpwtst.
Updated AuthBy HEIMDALDIGEST to wait longer for kdigest to exit. Old
behaviour was causing zombie processes on some systems. Reported by
Johan Wassberg.
Clarified and updated AttrVal.pm API. Notably, add_if_not_exist_attr and
change_attr now return 0, as documented, instead of nothing. This return
value still evaluates to false but is now defined. Addressed results
reported by Perl::Critic.
Avoid unnecessary log messages and warnings by not probing SCTP API
support on windows and completely avoiding harmless use of undefined
variables in AuthGeneric.
Added module Radius::JSON, which is a wrapper for various JSON backends.
Module exports encode_json and decode_json from the JSON backend it
finds. Last resort is JSON::PP, which should be included Perl versions
from 5.14.0.
Improved AcctLogFILE to support JSON. By default, in addition to
trace_id, timestamp, source_host, and type (accounting), all attributes
from Accounting-Request are logged. This behaviour can be modified with
parameter AcctLogOutputDef.
Fixed saving uploaded Radiator configuration via ServerHTTP (Web GUI).
Updates to support and other help texts.
Add expected result feature for diapwtst. When expected result is set,
diapwtst returns 0 (success) even if result was something else. In this
way diapwtst can be more useful, for example to periodically test
DIAMETER services.
--
Heikki Vatiainen <[email protected]>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, TACACS+, PAM, Active Directory,
EAP, TLS, TTLS, PEAP, WiMAX, RSA, Vasco, Yubikey, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, etc.
_______________________________________________
radiator mailing list
[email protected]
https://lists.open.com.au/mailman/listinfo/radiator
