[RADIATOR] Radiator Version 4.23 released - security fixes, new features, enhancements and bug fixes

Heikki Vatiainen hvn at open.com.au
Wed Apr 10 16:02:56 UTC 2019 

We are pleased to announce the release of Radiator version 4.23

This version contains security fixes for EAP-pwd authentication and 
certain TLS configurations. Other changes include new features, 
enhancements and bug fixes. See below for the details.

As usual, the new version is available to current licensees
and evaluators from:
https://www.open.com.au/radiator/downloads.html

Licensees with expired access contracts can renew at:
https://www.open.com.au/renewal.html

An extract from the history file
https://www.open.com.au/radiator/history.html is below:

-----------------------------

Revision 4.23 (2019-04-10) security fixes, new features, enhancements 
and bug fixes


     Selected compatibility notes, enhancements and fixes

Improved AcctLogFILE to support JSON.

Security fixes for EAP-pwd authentication and certain TLS 
configurations. OSC recommends all users to
review OSC security advisory OSC-SEC-2019-01
https://www.open.com.au/OSC-SEC-2019-01.html


       Known caveats and other notes

TLSv1.3 is not enabled by default for TLS based EAP methods.

TLSv1.3 is not enabled by default for Stream based classes, such as RadSec.


       Detailed changes

Fixed EAP-pwd implementation security bugs reported by Mathy Vanhoef.

Added an example of using SupplementaryGroups option in systemd goodies 
files radiator.service and radiator at .service. This parameter is 
typically used with AuthBy NTLM to grant access to winbindd socket.

Added support for experimental parameters EAPTLS_CRLCheckUseDeltas and 
TLS_CRLCheckUseDeltas. These enable Delta Certificate Revocation list 
support for TLS based EAP and Stream classes, such as EAP-TLS and 
RadSec. Added test CLRs to Radiator demo ceritificates. See Radiator 
reference manual for the details.

Fixed a crash in EAP-TLS and TLS based Stream classes, such as RadSec, 
when Radiator tried to log information about a certificate during 
specially configured verification. Certificate is not made available by 
TLS library in all verification failure cases. Reported by Stefan Winter.

AuthGeneric.pm updates: MSCHAPv2 was incorrectly logged as misspelled 
when checking AuthenProto configuration parameter. Addressed a number of 
Perl::Critic reports.

AuthBy RADIUSBYATTR HostParamDef now accepts 0 as a possible default value.

Update test.pl to clean up temporary files after finishing.

DiaClient inheritance was updated to allow better log message control. 
Updated diapwtst respectively. Addressed a number of DiaClient related 
Perl::Critic reports.

Fixed some log messages that did not correctly interpolate variables. 
Addressed other minor results reported by Perl::Critic.

Added RAdmin + TOTP configuration sample radmin_totp.cfg in goodies.

JSON::MaybeXS was mistakenly added as a JSON backend. However it is a 
wrapper for backends so it is now removed from the list of JSON backends.

Peer certificate issuer, subject and serial number in decimal and 
hexdecimal format is now logged on debug level when Radiator verifies 
peer certificate during EAP-TLS authentication or TLS based stream 
connection. This information is logged during verify callback when the 
TLS/SSL library is doing certificate verification. Logging is now done 
during successful and failing verification. Previously only some 
certificate information was logged.

Updated dictionary. Added 6 new VSAs for VENDOR 388 Symbol. For VENDOR 
4329 Siemens added Siemens-AP-Mac as a new VSAs and 
Siemens-Ingress-RC-Name and Siemens-Egress-RC-Name as aliases for 
Siemens-Ingress-RC and Siemens-Egress-RC.

LogSYSLOG did not log Trace 5 level messages but printed out warnings 
about invalid level/facility to STDERR. Reported by Paul Dekkers.

Requests without User-Name were triggering warnings that were enabled in 
Radiator 4.21. Reported cases now avoid warnings, and usernames that are 
empty instead of not defined are now more clearly logged. Similar work 
enabling more warnings continues and any reports are welcome. Cases now 
fixed were reported by Paul Dekkers and Roland Rosenfeld.

When malformed attributes are received, sender IP address and port are 
now included in the message. Suggested by Paul Dekkers.

Support configuration parameter AddToRequestIfNotExist added to AuthBy 
RADIUS, AuthBy RADSEC, and AuthBy DNSROAM.

Fixed make zipdist and other non-default targets from failing.

Unit test name cleanup and better separation between tests.

generate-totp.pl and nthash.pl goodies utilities no longer need Radiator 
modules. They now require Net::SSLeay and Digest::MD4, respectively.

diapwtst now searches its parent directory for Radius-modules. This 
allows diapwtst to be called in similar fashion as radpwtst.

Updated AuthBy HEIMDALDIGEST to wait longer for kdigest to exit. Old 
behaviour was causing zombie processes on some systems. Reported by 
Johan Wassberg.

Clarified and updated AttrVal.pm API. Notably, add_if_not_exist_attr and 
change_attr now return 0, as documented, instead of nothing. This return 
value still evaluates to false but is now defined. Addressed results 
reported by Perl::Critic.

Avoid unnecessary log messages and warnings by not probing SCTP API 
support on windows and completely avoiding harmless use of undefined 
variables in AuthGeneric.

Added module Radius::JSON, which is a wrapper for various JSON backends. 
Module exports encode_json and decode_json from the JSON backend it 
finds. Last resort is JSON::PP, which should be included Perl versions 
from 5.14.0.

Improved AcctLogFILE to support JSON. By default, in addition to 
trace_id, timestamp, source_host, and type (accounting), all attributes 
from Accounting-Request are logged. This behaviour can be modified with 
parameter AcctLogOutputDef.

Fixed saving uploaded Radiator configuration via ServerHTTP (Web GUI).

Updates to support and other help texts.

Add expected result feature for diapwtst. When expected result is set, 
diapwtst returns 0 (success) even if result was something else. In this 
way diapwtst can be more useful, for example to periodically test 
DIAMETER services.


-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, TACACS+, PAM, Active Directory,
EAP, TLS, TTLS, PEAP, WiMAX, RSA, Vasco, Yubikey, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, etc.

More information about the radiator mailing list