Commit report for v3.0.x branch

The git bot announce at freeradius.org
Sat Aug 31 02:00:02 CEST 2019


New activity for FreeRADIUS (the high performance and highly configurable RADIUS server)

======
gpgsig -----BEGIN PGP SIGNATURE-----
 
 iQEzBAABCAAdFiEE8n1lTTL4FC4LtEWpfQ55zXdiHs0FAl1pYXcACgkQfQ55zXdi
 Hs0odQf/S9aHg3DgiIhUpaBR7SSaHlGCYisxpcfDx5yrjUNJPOuJ/+BwVZxcdOvg
 M1Wo53wWpZfe8qxh0qiWqa652sxBDtr/0H2Gm79cB9rqgCGHXZ/fxOua5icDyXbX
 epiU3f1PZKsgQnmyzhjpoT4WjOWPVzmej7HZXZape7F2C42GNIh918KkSo1/HgR5
 Tv0nUrYnbVz3EevyoBjOUP4QLBAD0TYkPrNrDYDnF7gQqWiL4bcIyGgY41W7bHM0
 J1aKpzk7nlYEmkdOK1zEUPRORGWCoBgW8o+N9EPsXE5TjNXQtkdHA5gb5gXxHXbg
 8MsgyKeyDZvUmd4duN2Xad6xXiUfpg==
 =s9Sq
 -----END PGP SIGNATURE-----

note recent changes

Alan T. DeKok at 2019-08-30T17:48:34Z
Files modified:
	* doc/ChangeLog

Commit diff:
https://github.com/FreeRADIUS/freeradius-server/commit/b10349cd8a723084bed6f3d18753d55ac33e0c8b
====== 
PostgreSQL: Don't require a lease to have expired if we reallocate it to the previous client

The current default allocate_find query causes per-client IP allocation
instability that starts when allocate_clear rate limiting comes into effect.

With initial pool conditions the default alloc_find query selects from the pool
of all *expired* leases. It selects the least recently used IP address (i.e.
the one with the oldest expiry_time) unless a matching username and/or
callingstationid exists in the table in which case these are prioritised in
order to issue the client with their previous lease. Normally picking the least
recently used address helps to avoid issuing the address to a different client,
maximising the chance of stickiness, which is desirable.

However, if a user makes successive authentication attempts whilst
allocate_clear rate limiting is active they are always allocated a different IP
address because their existing address is unavailable (has not yet expired and
has not been explicitly expired by allocate_clear), with the effect that there
are now multiple rows in the table containing the same pool_key, username and
callingstationid.

The normal ordering then has the undesirable effect of ensuring that successive
future IP address selections for the client will flip-flop between addresses
because username + callingstationid are first prioritied then the *oldest
expiry_time* is chosen (rather than the most recent expiry relating to the most
recent lease). This behaviour persists once allocate_clear rate limiting is no
longer in effect.

We can avoid getting having multiple rows with the same client details by
amending the allocate_find query to include an existing row matching
nasipaddress and pool_key in the available set of IP addreses regardless of
whether the lease has expired or not (i.e. re-allocation of a current lease to
the same client).

Terry Burton (via Alan DeKok)@2019-08-30T17:10:24Z
Files modified:
	* raddb/mods-config/sql/ippool/postgresql/queries.conf

Commit diff:
https://github.com/FreeRADIUS/freeradius-server/commit/362ef4362adacad91f922fb05ae341b85bbe7b43
====== 
MySQL: Don't require a lease to have expired if we reallocate it to the previous client

The current default allocate_find query causes per-client IP allocation
instability that starts when allocate_clear rate limiting comes into
effect.

With initial pool conditions the default alloc_find query selects from
the pool of all *expired* leases. It selects the least recently used IP
address (i.e. the one with the oldest expiry_time) unless a matching
username and/or callingstationid exists in the table in which case these
are prioritised in order to issue the client with their previous lease.
Normally picking the least recently used address helps to avoid issuing
the address to a different client, maximising the chance of stickiness,
which is desirable.

However, if a user makes successive authentication attempts whilst
allocate_clear rate limiting is active they are always allocated a
different IP address because their existing address is unavailable (has
not yet expired and has not been explicitly expired by allocate_clear),
with the effect that there are now multiple rows in the table containing
the same pool_key, username and callingstationid.

The normal ordering then has the undesirable effect of ensuring that
successive future IP address selections for the client will flip-flop
between addresses because username + callingstationid are first
prioritied then the *oldest expiry_time* is chosen (rather than the most
recent expiry relating to the most recent lease). This behaviour
persists once allocate_clear rate limiting is no longer in effect.

We can avoid getting having multiple rows with the same client details
by amending the allocate_find query to include an existing row matching
nasipaddress and pool_key in the available set of IP addreses regardless
of whether the lease has expired or not (i.e. re-allocation of a current
lease to the same client).

Terry Burton (via Alan DeKok)@2019-08-30T17:10:24Z
Files modified:
	* raddb/mods-config/sql/ippool/mysql/queries.conf

Commit diff:
https://github.com/FreeRADIUS/freeradius-server/commit/5891aee51f4843a1d3e3338fa2c10f482af25f8d
====== 
Oracle: Don't require a lease to have expired if we reallocate it to the previous client

The current default allocate_find query causes per-client IP allocation
instability that starts when allocate_clear rate limiting comes into
effect.

With initial pool conditions the default alloc_find query selects from
the pool of all *expired* leases. It selects the least recently used IP
address (i.e. the one with the oldest expiry_time) unless a matching
username and/or callingstationid exists in the table in which case these
are prioritised in order to issue the client with their previous lease.
Normally picking the least recently used address helps to avoid issuing
the address to a different client, maximising the chance of stickiness,
which is desirable.

However, if a user makes successive authentication attempts whilst
allocate_clear rate limiting is active they are always allocated a
different IP address because their existing address is unavailable (has
not yet expired and has not been explicitly expired by allocate_clear),
with the effect that there are now multiple rows in the table containing
the same pool_key, username and callingstationid.

The normal ordering then has the undesirable effect of ensuring that
successive future IP address selections for the client will flip-flop
between addresses because username + callingstationid are first
prioritied then the *oldest expiry_time* is chosen (rather than the most
recent expiry relating to the most recent lease). This behaviour
persists once allocate_clear rate limiting is no longer in effect.

We can avoid getting having multiple rows with the same client details
by amending the allocate_find query to include an existing row matching
nasipaddress and pool_key in the available set of IP addreses regardless
of whether the lease has expired or not (i.e. re-allocation of a current
lease to the same client).

Terry Burton (via Alan DeKok)@2019-08-30T17:10:24Z
Files modified:
	* raddb/mods-config/sql/ippool/oracle/queries.conf

Commit diff:
https://github.com/FreeRADIUS/freeradius-server/commit/5c152a9163917842b35a46a2fb1d37551bcc4ad2
====== 
SQLite: Don't require a lease to have expired if we reallocate it to the previous client

The current default allocate_find query causes per-client IP allocation
instability that starts when allocate_clear rate limiting comes into
effect.

With initial pool conditions the default alloc_find query selects from
the pool of all *expired* leases. It selects the least recently used IP
address (i.e. the one with the oldest expiry_time) unless a matching
username and/or callingstationid exists in the table in which case these
are prioritised in order to issue the client with their previous lease.
Normally picking the least recently used address helps to avoid issuing
the address to a different client, maximising the chance of stickiness,
which is desirable.

However, if a user makes successive authentication attempts whilst
allocate_clear rate limiting is active they are always allocated a
different IP address because their existing address is unavailable (has
not yet expired and has not been explicitly expired by allocate_clear),
with the effect that there are now multiple rows in the table containing
the same pool_key, username and callingstationid.

The normal ordering then has the undesirable effect of ensuring that
successive future IP address selections for the client will flip-flop
between addresses because username + callingstationid are first
prioritied then the *oldest expiry_time* is chosen (rather than the most
recent expiry relating to the most recent lease). This behaviour
persists once allocate_clear rate limiting is no longer in effect.

We can avoid getting having multiple rows with the same client details
by amending the allocate_find query to include an existing row matching
nasipaddress and pool_key in the available set of IP addreses regardless
of whether the lease has expired or not (i.e. re-allocation of a current
lease to the same client).

Terry Burton (via Alan DeKok)@2019-08-30T17:10:24Z
Files modified:
	* raddb/mods-config/sql/ippool/sqlite/queries.conf

Commit diff:
https://github.com/FreeRADIUS/freeradius-server/commit/d335211113d6ee1ef0140a4d9f9e3ed3bee27b5b
====== 
gpgsig -----BEGIN PGP SIGNATURE-----
 
 iQEzBAABCAAdFiEE8n1lTTL4FC4LtEWpfQ55zXdiHs0FAl1pQq8ACgkQfQ55zXdi
 Hs06VggAnXefSdEXelSszTU70rRLh4YV4z3829EAdpD6H5l2irroCHimdX3UbRd/
 s7d1IBL/gigYe+c7uSXxMbJk9dvEKuyOX1QmUMb0Bf2gqIQCmRSo7lZxR0OX78RO
 ytk2RA18+ZSSF/+6OHWekfQTi9Z3hg9pE5r0ZZVW6OFi28uNB3LeGyRAz+FYszac
 ZIjo1/CZHkwreNP0oYBLL60pvFR9tKWPFnPqvLPl3yDfyrckSjGL1T+n4VXleZn6
 dd9Ai5tSfjT1Xe8uBtIq1T0kL5MiCf1jA88fb16GKYFt4vKbTrntZPw7yNQZbb75
 hiT2cDVgty7TKYdcEVerkjb3wkiKcg==
 =t2uO
 -----END PGP SIGNATURE-----

fall through if there's no error

Alan T. DeKok at 2019-08-30T15:37:17Z
Files modified:
	* src/main/tls.c

Commit diff:
https://github.com/FreeRADIUS/freeradius-server/commit/54d6cc2cf9a8fa868e4c2f3ea56aefad09f7c5ea
====== 
gpgsig -----BEGIN PGP SIGNATURE-----
 
 iQEzBAABCAAdFiEE8n1lTTL4FC4LtEWpfQ55zXdiHs0FAl1pOj0ACgkQfQ55zXdi
 Hs34Uwf/Uth9jF8dRdN422WRjPqXD37DQf+C6nOi4aKh15jPFo5V64QUuQUmRneY
 0JwRuty9UnAMhglTOuDlus5ZXxk9POrXTCD8hENYAsmfrc9CRPQDe6sRQVsjciEq
 UYS/x8dP65jlI/U/tZOvFN4+kqdCzHyx16rkPYtvVeXX1VolkCTrLvlyhLuDVwUk
 5xvkwsbKT8d3jd/dXhIm4tFrMKbAZcgtyOXn1Rm5k9os7WnuT3Z13IhGWv+fmGdr
 lyZJpYGtgw2162veWmUW4g8FxjdYGV7z0Sgm8BfR1N3qcwaCbkFeBNq+LksdzoFa
 mLNCoHutVbBtRDD/fUFH+Y6LDPeJUw==
 =R1oe
 -----END PGP SIGNATURE-----

doxygen

Alan T. DeKok at 2019-08-30T15:01:15Z
Files modified:
	* src/modules/rlm_eap/libeap/eap_tls.c

Commit diff:
https://github.com/FreeRADIUS/freeradius-server/commit/18acc1bad814dbab0d741598efbfa6eb080dbdea
====== 
gpgsig -----BEGIN PGP SIGNATURE-----
 
 iQEzBAABCAAdFiEE8n1lTTL4FC4LtEWpfQ55zXdiHs0FAl1pNVYACgkQfQ55zXdi
 Hs2rCQf/WEScN/vBVnOE1REsL+r2/fdaZTWdWuUCSgdPHtn/iMTkfXrbrQH7bOMl
 r3fA7/RxakQBTOuwosIKGboZgLb49vukFKC4ClTBFOlWX6+c6f2nO8P5OsRvR6WY
 OvLGvSYMvtPBwdbtIDqM1aAgM8eafFfAEOuachuM4LBD4WVhm7rk/ZgSZpT3yHHS
 QObefkxD7KFaHD8He8wRmBu2mIpgmy6e+m9yu63rBmLKkLXClXAjuAQCOd/Y5LGS
 5g2kefE6GT963k+O/7t1qzMA+3W6Ek7gS611r2shuV1D2R5/zqeaiPy2vf8HtTwn
 sW74Fn7hqgiIGtgjo0HX8F8r7t/V1g==
 =Yl0w
 -----END PGP SIGNATURE-----

note recent changes

Alan T. DeKok at 2019-08-30T14:40:17Z
Files modified:
	* doc/ChangeLog

Commit diff:
https://github.com/FreeRADIUS/freeradius-server/commit/4756ed3eea8b26b04645820a264d7f5175fe91ea
====== 
gpgsig -----BEGIN PGP SIGNATURE-----
 
 iQEzBAABCAAdFiEE8n1lTTL4FC4LtEWpfQ55zXdiHs0FAl1pNRgACgkQfQ55zXdi
 Hs2Z5ggAgguXtjc/PMx89XETXqQYVvRUrNIHXIY82YjBWK8HdLyXpgNan7OIlQel
 R0JrwmES330M7EOYkXNKPwSibbF9cYfysy2z/U388R5G3JW256CmXzXTfMws4c9l
 Y2AA38ozwUkpG5AdEba+GWY2LEuzjgC8oYBL52ceDJbB7V5pFQQYjMa9WmHiIwpv
 NWXJ65sohoMFfUyEkuFGCqN5e6Hcd3xbB+dirYOnxdlwi+9DstWgwn7wXJCtYQ1s
 jYZ9AkcIyg7au4x6pWxu7RRsIB33IC9Nk4ph1eaFqZ5Km2nlpVUKLtKMtiXCHSJ+
 mT71xXT7u38X0V9uKic6TfjLq/cE+w==
 =EbkJ
 -----END PGP SIGNATURE-----

Use SSL_is_init_finished instead of checking the last handshake_type

Backport of d90c4bf807 from master

Matthew Newton (via Alan T. DeKok)@2019-08-30T14:39:20Z
Files modified:
	* src/main/tls.c

Commit diff:
https://github.com/FreeRADIUS/freeradius-server/commit/43aaae6130889f495448a4b3e57d4d36fe1366c7
====== 
gpgsig -----BEGIN PGP SIGNATURE-----
 
 iQEzBAABCAAdFiEE8n1lTTL4FC4LtEWpfQ55zXdiHs0FAl1pNQ8ACgkQfQ55zXdi
 Hs1ivQgAp4qQ/evSVtNEI5cJbb2lq7qRZ7R5+lGH3LlqUf0/zID20aaiFF3QXowJ
 suJ6sQqp1tUrgXu5QSjmGGvrDotooN2NvYCRyQlxYl1GA6tThiTe6+mdcM7ngzVL
 l+yBTcRFfPqhnI8aOJSL9LD9pgE4a0nDxeBTXoXZ6F17Xr3775eatu2lvm6KDbs1
 pdDaCNVKWDVKKsC5offb4IEZYjWdTe8iQjHcJwcpSuVGK1sh4x5PRH9dj3M02eJW
 RYDZPGtoBf1Y1DQS64CA848LXlNsdDp6xG46uzOdJ1hjuv5KejTpJBaCOILdIO+A
 OEDmZqG8OM1IOPgliv+hCknAW0Ch9A==
 =/oQI
 -----END PGP SIGNATURE-----

Catch session_tickets being sent after the handshake. Don't error out, try and continue.

Backport of 2f4660e5fb from master

Matthew Newton (via Alan T. DeKok)@2019-08-30T14:39:11Z
Files modified:
	* src/main/tls.c

Commit diff:
https://github.com/FreeRADIUS/freeradius-server/commit/28c3ec03d80c3db836bbe47bec9d93cece885495
====== 
gpgsig -----BEGIN PGP SIGNATURE-----
 
 iQEzBAABCAAdFiEE8n1lTTL4FC4LtEWpfQ55zXdiHs0FAl1pNQUACgkQfQ55zXdi
 Hs0bHgf/cDtrdfBPpC75NkEsBV6gMjzREpm05Ny48yfE/MslPTU922alnTuMCYlu
 F2NKQIGf6EY87QD/2ErvdVaazWGfeFy605bcxlhm8mnQSJQ4ypAK4ovUiGxYPlN5
 s/cVbFZ+jF+iKjy1GRjF2EvPGyVeaguoN/ZljTFMeJR9MU3vf4q6u667clZMXD7S
 smzoWXFjZ7VESLzHEefWDUm+ODHmDsuAA81wWmbwKME1ZfjHN1+QHO1mZpdKSh7x
 S1cxnksg6kdvDQXkhIh34OL3WyJB103HBJYiK9UVhcncdPbPa4QyncVdqDkrZ8J4
 2F5B5pVBR0h6lwYE+oGRTsP8kjuZ+g==
 =5WSM
 -----END PGP SIGNATURE-----

Transform to be more like v4 code

Matthew Newton (via Alan T. DeKok)@2019-08-30T14:39:01Z
Files modified:
	* src/modules/rlm_eap/libeap/mppe_keys.c
	* src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c

Commit diff:
https://github.com/FreeRADIUS/freeradius-server/commit/df56d1648e077d043b03d414152c96da586f8d0f
====== 
gpgsig -----BEGIN PGP SIGNATURE-----
 
 iQEzBAABCAAdFiEE8n1lTTL4FC4LtEWpfQ55zXdiHs0FAl1pNPoACgkQfQ55zXdi
 Hs1Z1Qf/U8KNYzwgp9RnJcOBdSovJN/7+H48SorLyz8uxlKsQVItr3L0sq24J5Wi
 iGWvgNjAJlXb4qX23iFUXNUpsqOUzOb5Y1c8gjZ71EJ4iNLdtUWubR0uFkDDTG+H
 pJnnIWOOCMfUrw/nyE5k6j4n861qFbrdcoRFprW9IdHr7LKUg5sx7O/rUU4XShsB
 9uxMwjRhR3kHPaVq7D/g2pMiQ6ejhzMK2mlMgm6/eM7bR8ZOrCmjwKuRWKcpFaCU
 Wf48V3tCaJ6ybuzm5w7sVrz3no7lzBFWW0W+TI9iNLa0KmYZsx/83VXWl96uxbVs
 4sFGGuabZJduewTonzyq8BuXBJmhSQ==
 =Klc8
 -----END PGP SIGNATURE-----

Doxygen

Matthew Newton (via Alan T. DeKok)@2019-08-30T14:38:50Z
Files modified:
	* src/modules/rlm_eap/libeap/eap_tls.c

Commit diff:
https://github.com/FreeRADIUS/freeradius-server/commit/bd3b5a1f85a5410666c5d730bc5fb751f360b437
====== 
-- 
This commit summary was generated @2019-08-31T00:00:02Z by lgfeed version 0.00 (https://github.com/arr2036/lgfeed).


More information about the Freeradius-Devel mailing list