New activity for FreeRADIUS (the high performance and highly configurable RADIUS server) ====== gpgsig -----BEGIN PGP SIGNATURE----- iQEzBAABCAAdFiEE8n1lTTL4FC4LtEWpfQ55zXdiHs0FAl1pYXcACgkQfQ55zXdi Hs0odQf/S9aHg3DgiIhUpaBR7SSaHlGCYisxpcfDx5yrjUNJPOuJ/+BwVZxcdOvg M1Wo53wWpZfe8qxh0qiWqa652sxBDtr/0H2Gm79cB9rqgCGHXZ/fxOua5icDyXbX epiU3f1PZKsgQnmyzhjpoT4WjOWPVzmej7HZXZape7F2C42GNIh918KkSo1/HgR5 Tv0nUrYnbVz3EevyoBjOUP4QLBAD0TYkPrNrDYDnF7gQqWiL4bcIyGgY41W7bHM0 J1aKpzk7nlYEmkdOK1zEUPRORGWCoBgW8o+N9EPsXE5TjNXQtkdHA5gb5gXxHXbg 8MsgyKeyDZvUmd4duN2Xad6xXiUfpg== =s9Sq -----END PGP SIGNATURE----- note recent changes Alan T. DeKok@2019-08-30T17:48:34Z Files modified: * doc/ChangeLog Commit diff: https://github.com/FreeRADIUS/freeradius-server/commit/b10349cd8a723084bed6f... ====== PostgreSQL: Don't require a lease to have expired if we reallocate it to the previous client The current default allocate_find query causes per-client IP allocation instability that starts when allocate_clear rate limiting comes into effect. With initial pool conditions the default alloc_find query selects from the pool of all *expired* leases. It selects the least recently used IP address (i.e. the one with the oldest expiry_time) unless a matching username and/or callingstationid exists in the table in which case these are prioritised in order to issue the client with their previous lease. Normally picking the least recently used address helps to avoid issuing the address to a different client, maximising the chance of stickiness, which is desirable. However, if a user makes successive authentication attempts whilst allocate_clear rate limiting is active they are always allocated a different IP address because their existing address is unavailable (has not yet expired and has not been explicitly expired by allocate_clear), with the effect that there are now multiple rows in the table containing the same pool_key, username and callingstationid. The normal ordering then has the undesirable effect of ensuring that successive future IP address selections for the client will flip-flop between addresses because username + callingstationid are first prioritied then the *oldest expiry_time* is chosen (rather than the most recent expiry relating to the most recent lease). This behaviour persists once allocate_clear rate limiting is no longer in effect. We can avoid getting having multiple rows with the same client details by amending the allocate_find query to include an existing row matching nasipaddress and pool_key in the available set of IP addreses regardless of whether the lease has expired or not (i.e. re-allocation of a current lease to the same client). Terry Burton (via Alan DeKok)@2019-08-30T17:10:24Z Files modified: * raddb/mods-config/sql/ippool/postgresql/queries.conf Commit diff: https://github.com/FreeRADIUS/freeradius-server/commit/362ef4362adacad91f922... ====== MySQL: Don't require a lease to have expired if we reallocate it to the previous client The current default allocate_find query causes per-client IP allocation instability that starts when allocate_clear rate limiting comes into effect. With initial pool conditions the default alloc_find query selects from the pool of all *expired* leases. It selects the least recently used IP address (i.e. the one with the oldest expiry_time) unless a matching username and/or callingstationid exists in the table in which case these are prioritised in order to issue the client with their previous lease. Normally picking the least recently used address helps to avoid issuing the address to a different client, maximising the chance of stickiness, which is desirable. However, if a user makes successive authentication attempts whilst allocate_clear rate limiting is active they are always allocated a different IP address because their existing address is unavailable (has not yet expired and has not been explicitly expired by allocate_clear), with the effect that there are now multiple rows in the table containing the same pool_key, username and callingstationid. The normal ordering then has the undesirable effect of ensuring that successive future IP address selections for the client will flip-flop between addresses because username + callingstationid are first prioritied then the *oldest expiry_time* is chosen (rather than the most recent expiry relating to the most recent lease). This behaviour persists once allocate_clear rate limiting is no longer in effect. We can avoid getting having multiple rows with the same client details by amending the allocate_find query to include an existing row matching nasipaddress and pool_key in the available set of IP addreses regardless of whether the lease has expired or not (i.e. re-allocation of a current lease to the same client). Terry Burton (via Alan DeKok)@2019-08-30T17:10:24Z Files modified: * raddb/mods-config/sql/ippool/mysql/queries.conf Commit diff: https://github.com/FreeRADIUS/freeradius-server/commit/5891aee51f4843a1d3e33... ====== Oracle: Don't require a lease to have expired if we reallocate it to the previous client The current default allocate_find query causes per-client IP allocation instability that starts when allocate_clear rate limiting comes into effect. With initial pool conditions the default alloc_find query selects from the pool of all *expired* leases. It selects the least recently used IP address (i.e. the one with the oldest expiry_time) unless a matching username and/or callingstationid exists in the table in which case these are prioritised in order to issue the client with their previous lease. Normally picking the least recently used address helps to avoid issuing the address to a different client, maximising the chance of stickiness, which is desirable. However, if a user makes successive authentication attempts whilst allocate_clear rate limiting is active they are always allocated a different IP address because their existing address is unavailable (has not yet expired and has not been explicitly expired by allocate_clear), with the effect that there are now multiple rows in the table containing the same pool_key, username and callingstationid. The normal ordering then has the undesirable effect of ensuring that successive future IP address selections for the client will flip-flop between addresses because username + callingstationid are first prioritied then the *oldest expiry_time* is chosen (rather than the most recent expiry relating to the most recent lease). This behaviour persists once allocate_clear rate limiting is no longer in effect. We can avoid getting having multiple rows with the same client details by amending the allocate_find query to include an existing row matching nasipaddress and pool_key in the available set of IP addreses regardless of whether the lease has expired or not (i.e. re-allocation of a current lease to the same client). Terry Burton (via Alan DeKok)@2019-08-30T17:10:24Z Files modified: * raddb/mods-config/sql/ippool/oracle/queries.conf Commit diff: https://github.com/FreeRADIUS/freeradius-server/commit/5c152a9163917842b35a4... ====== SQLite: Don't require a lease to have expired if we reallocate it to the previous client The current default allocate_find query causes per-client IP allocation instability that starts when allocate_clear rate limiting comes into effect. With initial pool conditions the default alloc_find query selects from the pool of all *expired* leases. It selects the least recently used IP address (i.e. the one with the oldest expiry_time) unless a matching username and/or callingstationid exists in the table in which case these are prioritised in order to issue the client with their previous lease. Normally picking the least recently used address helps to avoid issuing the address to a different client, maximising the chance of stickiness, which is desirable. However, if a user makes successive authentication attempts whilst allocate_clear rate limiting is active they are always allocated a different IP address because their existing address is unavailable (has not yet expired and has not been explicitly expired by allocate_clear), with the effect that there are now multiple rows in the table containing the same pool_key, username and callingstationid. The normal ordering then has the undesirable effect of ensuring that successive future IP address selections for the client will flip-flop between addresses because username + callingstationid are first prioritied then the *oldest expiry_time* is chosen (rather than the most recent expiry relating to the most recent lease). This behaviour persists once allocate_clear rate limiting is no longer in effect. We can avoid getting having multiple rows with the same client details by amending the allocate_find query to include an existing row matching nasipaddress and pool_key in the available set of IP addreses regardless of whether the lease has expired or not (i.e. re-allocation of a current lease to the same client). Terry Burton (via Alan DeKok)@2019-08-30T17:10:24Z Files modified: * raddb/mods-config/sql/ippool/sqlite/queries.conf Commit diff: https://github.com/FreeRADIUS/freeradius-server/commit/d335211113d6ee1ef0140... ====== gpgsig -----BEGIN PGP SIGNATURE----- iQEzBAABCAAdFiEE8n1lTTL4FC4LtEWpfQ55zXdiHs0FAl1pQq8ACgkQfQ55zXdi Hs06VggAnXefSdEXelSszTU70rRLh4YV4z3829EAdpD6H5l2irroCHimdX3UbRd/ s7d1IBL/gigYe+c7uSXxMbJk9dvEKuyOX1QmUMb0Bf2gqIQCmRSo7lZxR0OX78RO ytk2RA18+ZSSF/+6OHWekfQTi9Z3hg9pE5r0ZZVW6OFi28uNB3LeGyRAz+FYszac ZIjo1/CZHkwreNP0oYBLL60pvFR9tKWPFnPqvLPl3yDfyrckSjGL1T+n4VXleZn6 dd9Ai5tSfjT1Xe8uBtIq1T0kL5MiCf1jA88fb16GKYFt4vKbTrntZPw7yNQZbb75 hiT2cDVgty7TKYdcEVerkjb3wkiKcg== =t2uO -----END PGP SIGNATURE----- fall through if there's no error Alan T. DeKok@2019-08-30T15:37:17Z Files modified: * src/main/tls.c Commit diff: https://github.com/FreeRADIUS/freeradius-server/commit/54d6cc2cf9a8fa868e4c2... ====== gpgsig -----BEGIN PGP SIGNATURE----- iQEzBAABCAAdFiEE8n1lTTL4FC4LtEWpfQ55zXdiHs0FAl1pOj0ACgkQfQ55zXdi Hs34Uwf/Uth9jF8dRdN422WRjPqXD37DQf+C6nOi4aKh15jPFo5V64QUuQUmRneY 0JwRuty9UnAMhglTOuDlus5ZXxk9POrXTCD8hENYAsmfrc9CRPQDe6sRQVsjciEq UYS/x8dP65jlI/U/tZOvFN4+kqdCzHyx16rkPYtvVeXX1VolkCTrLvlyhLuDVwUk 5xvkwsbKT8d3jd/dXhIm4tFrMKbAZcgtyOXn1Rm5k9os7WnuT3Z13IhGWv+fmGdr lyZJpYGtgw2162veWmUW4g8FxjdYGV7z0Sgm8BfR1N3qcwaCbkFeBNq+LksdzoFa mLNCoHutVbBtRDD/fUFH+Y6LDPeJUw== =R1oe -----END PGP SIGNATURE----- doxygen Alan T. DeKok@2019-08-30T15:01:15Z Files modified: * src/modules/rlm_eap/libeap/eap_tls.c Commit diff: https://github.com/FreeRADIUS/freeradius-server/commit/18acc1bad814dbab0d741... ====== gpgsig -----BEGIN PGP SIGNATURE----- iQEzBAABCAAdFiEE8n1lTTL4FC4LtEWpfQ55zXdiHs0FAl1pNVYACgkQfQ55zXdi Hs2rCQf/WEScN/vBVnOE1REsL+r2/fdaZTWdWuUCSgdPHtn/iMTkfXrbrQH7bOMl r3fA7/RxakQBTOuwosIKGboZgLb49vukFKC4ClTBFOlWX6+c6f2nO8P5OsRvR6WY OvLGvSYMvtPBwdbtIDqM1aAgM8eafFfAEOuachuM4LBD4WVhm7rk/ZgSZpT3yHHS QObefkxD7KFaHD8He8wRmBu2mIpgmy6e+m9yu63rBmLKkLXClXAjuAQCOd/Y5LGS 5g2kefE6GT963k+O/7t1qzMA+3W6Ek7gS611r2shuV1D2R5/zqeaiPy2vf8HtTwn sW74Fn7hqgiIGtgjo0HX8F8r7t/V1g== =Yl0w -----END PGP SIGNATURE----- note recent changes Alan T. DeKok@2019-08-30T14:40:17Z Files modified: * doc/ChangeLog Commit diff: https://github.com/FreeRADIUS/freeradius-server/commit/4756ed3eea8b26b046458... ====== gpgsig -----BEGIN PGP SIGNATURE----- iQEzBAABCAAdFiEE8n1lTTL4FC4LtEWpfQ55zXdiHs0FAl1pNRgACgkQfQ55zXdi Hs2Z5ggAgguXtjc/PMx89XETXqQYVvRUrNIHXIY82YjBWK8HdLyXpgNan7OIlQel R0JrwmES330M7EOYkXNKPwSibbF9cYfysy2z/U388R5G3JW256CmXzXTfMws4c9l Y2AA38ozwUkpG5AdEba+GWY2LEuzjgC8oYBL52ceDJbB7V5pFQQYjMa9WmHiIwpv NWXJ65sohoMFfUyEkuFGCqN5e6Hcd3xbB+dirYOnxdlwi+9DstWgwn7wXJCtYQ1s jYZ9AkcIyg7au4x6pWxu7RRsIB33IC9Nk4ph1eaFqZ5Km2nlpVUKLtKMtiXCHSJ+ mT71xXT7u38X0V9uKic6TfjLq/cE+w== =EbkJ -----END PGP SIGNATURE----- Use SSL_is_init_finished instead of checking the last handshake_type Backport of d90c4bf807 from master Matthew Newton (via Alan T. DeKok)@2019-08-30T14:39:20Z Files modified: * src/main/tls.c Commit diff: https://github.com/FreeRADIUS/freeradius-server/commit/43aaae6130889f495448a... ====== gpgsig -----BEGIN PGP SIGNATURE----- iQEzBAABCAAdFiEE8n1lTTL4FC4LtEWpfQ55zXdiHs0FAl1pNQ8ACgkQfQ55zXdi Hs1ivQgAp4qQ/evSVtNEI5cJbb2lq7qRZ7R5+lGH3LlqUf0/zID20aaiFF3QXowJ suJ6sQqp1tUrgXu5QSjmGGvrDotooN2NvYCRyQlxYl1GA6tThiTe6+mdcM7ngzVL l+yBTcRFfPqhnI8aOJSL9LD9pgE4a0nDxeBTXoXZ6F17Xr3775eatu2lvm6KDbs1 pdDaCNVKWDVKKsC5offb4IEZYjWdTe8iQjHcJwcpSuVGK1sh4x5PRH9dj3M02eJW RYDZPGtoBf1Y1DQS64CA848LXlNsdDp6xG46uzOdJ1hjuv5KejTpJBaCOILdIO+A OEDmZqG8OM1IOPgliv+hCknAW0Ch9A== =/oQI -----END PGP SIGNATURE----- Catch session_tickets being sent after the handshake. Don't error out, try and continue. Backport of 2f4660e5fb from master Matthew Newton (via Alan T. DeKok)@2019-08-30T14:39:11Z Files modified: * src/main/tls.c Commit diff: https://github.com/FreeRADIUS/freeradius-server/commit/28c3ec03d80c3db836bbe... ====== gpgsig -----BEGIN PGP SIGNATURE----- iQEzBAABCAAdFiEE8n1lTTL4FC4LtEWpfQ55zXdiHs0FAl1pNQUACgkQfQ55zXdi Hs0bHgf/cDtrdfBPpC75NkEsBV6gMjzREpm05Ny48yfE/MslPTU922alnTuMCYlu F2NKQIGf6EY87QD/2ErvdVaazWGfeFy605bcxlhm8mnQSJQ4ypAK4ovUiGxYPlN5 s/cVbFZ+jF+iKjy1GRjF2EvPGyVeaguoN/ZljTFMeJR9MU3vf4q6u667clZMXD7S smzoWXFjZ7VESLzHEefWDUm+ODHmDsuAA81wWmbwKME1ZfjHN1+QHO1mZpdKSh7x S1cxnksg6kdvDQXkhIh34OL3WyJB103HBJYiK9UVhcncdPbPa4QyncVdqDkrZ8J4 2F5B5pVBR0h6lwYE+oGRTsP8kjuZ+g== =5WSM -----END PGP SIGNATURE----- Transform to be more like v4 code Matthew Newton (via Alan T. DeKok)@2019-08-30T14:39:01Z Files modified: * src/modules/rlm_eap/libeap/mppe_keys.c * src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c Commit diff: https://github.com/FreeRADIUS/freeradius-server/commit/df56d1648e077d043b03d... ====== gpgsig -----BEGIN PGP SIGNATURE----- iQEzBAABCAAdFiEE8n1lTTL4FC4LtEWpfQ55zXdiHs0FAl1pNPoACgkQfQ55zXdi Hs1Z1Qf/U8KNYzwgp9RnJcOBdSovJN/7+H48SorLyz8uxlKsQVItr3L0sq24J5Wi iGWvgNjAJlXb4qX23iFUXNUpsqOUzOb5Y1c8gjZ71EJ4iNLdtUWubR0uFkDDTG+H pJnnIWOOCMfUrw/nyE5k6j4n861qFbrdcoRFprW9IdHr7LKUg5sx7O/rUU4XShsB 9uxMwjRhR3kHPaVq7D/g2pMiQ6ejhzMK2mlMgm6/eM7bR8ZOrCmjwKuRWKcpFaCU Wf48V3tCaJ6ybuzm5w7sVrz3no7lzBFWW0W+TI9iNLa0KmYZsx/83VXWl96uxbVs 4sFGGuabZJduewTonzyq8BuXBJmhSQ== =Klc8 -----END PGP SIGNATURE----- Doxygen Matthew Newton (via Alan T. DeKok)@2019-08-30T14:38:50Z Files modified: * src/modules/rlm_eap/libeap/eap_tls.c Commit diff: https://github.com/FreeRADIUS/freeradius-server/commit/bd3b5a1f85a5410666c5d... ====== -- This commit summary was generated @2019-08-31T00:00:02Z by lgfeed version 0.00 (https://github.com/arr2036/lgfeed).