Note: ¤ means High prority item involving security or a major change in operation.
· The constructor Attribute(int type, Date date) was incorrectly casting the date in it's calculation to seconds resulting in times being set around 1969 when recovered. This has been fixed.
· The method RADIUSEncrypt.saltEncode() was not adding the data length correctly leading to bad decodings by clients.
· The EAP clients were starting with an incorrect EAP packet identifier for their IDENTITY packet. This has been fixed so they start at 0. They were also tracking their own packet numbers and were ignoring circumstances where the packet numbers were reset.
· The class files dictionary.util.* were not included in the distribution. They are present now.
· Fixed a problem with the RADIUSClient class where it was possible to misread the packet type and packet identifier resulting in misidentifying packets.
· Fixed a problem with the RADIUSDictionary class where it couldn't look up values for attributes for Vendor-Specific attributes.
E.G.: RADIUSDictionary rd - ... int vendorId = 6; int i = rd.getIntValue(vendorId, "Example-Attribute-Name", "Station-Type"); would always return -1 instead of whatever "Station-Type" was assigned.
· Fixed problems with the DMCOA client's receiver - the authenticator was miscalculated.
·
Added three methods to the RADIUSClient for Disconnect-Message and
Change of Authorization packet support.
The bind(InetAddress bindAddr, int bindPort) is
used primarily for sending DM/COA message. It binds the client to the DMCOA port at a particular
host address. The second method, dmcoa(int packetType, AttributeList alist), sends a
DM/COA packet to the server. This is really a wrapper around the accounting(int packetType, AttributeList alist)
method. There is now a public checkAccountingAuthenticator() method to check accounting
authenticators.
¤ An error in the RADIUSClient would cause CHAP authentication to recurse endlessly until the JVM ran out of memory. This has been fixed.
¤ An error in the EAPMD5 client caused the NAS-Identifier to be ignored when present. This has been fixed.
· The RADIUSClient's DM/COA receiver (DMCOAReceiver class) now can run independent of a RADIUSClient. This was requested to handle the DM/COA messages without requiring the RADIUSClient to be present to keep the DMCOAReceiver alive. There is a new constructor that provides this service.
· Fixed a problem in AV.lookup(int vendorId, int attribute, int value) where it wouldn't find the symbolic value if there was a dictionary present.
· The BouncyCastle MD4 has been replaced with an internal version.
· A utility to generate the new DefaultDictionary class has been added. This can generate the default dictionary suitable for your needs. It can contain any dictionary files you need. Don't try to add all the dictionaries as Java classes are limited in length. Although the 'DefaultDictionary.java' file will be produced it will not compile.
· Added an RSA ACE Server client (com.theorem.radserver3.auth.rsaace.client). This loops on the ACE server's continual questioning and supplies the answers. It can be used either as a looping client and / or a callback mechanism for some other class. See the package com.theorem.radius3.auth.rsaace.client for details. An example client appears in com.theorem.radius3.examples.rsaclient. This authentication method also offers a callback interface for an external system. V 3.43e June 07, 2006
· Fixed a package problem with the BitArray.java file.
· Changed how MD5 is generated. Instead of using a local version of MD5 we use the java.security.MessageDigest version with a wrapper.
· Fixed many problems in the RADIUSDictionary.
· Added a new authentication method - Digest Authentication. This is described in draft-sterman-aaa-sip-00.txt. It provide authentication for HTTP/SIP and currently only supports the "MD5" and "MD5-sess" algorithms. The client is found in com.theorem.radius3.auth.digest.client.
· Added support for Ascend-Send-Secret and Ascend-Receive-Secret encoding (type 3) as RADIUSEncrypt.encode3().
¤ The client would detect duplicates artificially because the packet ID was not being properly converted to an integer. Sign extension was to blame. This has been fixed.
· The version numbers of the RADIUS client will mirror (as far as possible) the server version. This should clear up confusion with features using the '@since' tag that seemingly refer to future client versions but in fact refer to the current server version.
· It is possible that a server can return a packet type (code) of 0 instead of a valid packet type. The client did not check for this specifically but correctly determined that the packet was bad (returning a packet type of PacketType.Bad_Packet). This type of error is specifically checked and a proper error number & message is generated. The RADIUSClient correctly reacts to the packet type, but failed to indicate there is a problem.
¤ The client now uses the javax.crypto package instead of locally contained crypto methods. This should allow everyone to use other crypto packages if Sun's implementation isn't to your liking. BouncyCastle (http://www.bouncycastle.org/) or Cryptix (http://www.cryptix.org/) work well as cryptographic providers.
· Fixed a problem in the com.theorem.radius3.radutil.FailOverRADIUSClient. It would ignore port settings and use the default ports for the server.
· The RADIUSClient has a new method - RADIUSClient.retry(). This folds up code that was formerly required to perform a retry - recovering the request attributes and re-authenticating or accounting. The retry() method runs much faster. There is also an explicit RADIUSClient.getRequestAttributes(). In previous versions the getAttributes() doubled as
· Added two methods to AttributeList: decodeAll() and encodeAll(). They decode and encode attributes with a SALT as specified in the draft RFC "Salt-Encryption of RADIUS Attributes". These are used primarily with Vendor-Specific sub-attributes and in particular with Cisco VSA's using the Cisco Encrypted String VSA Format. The server and client must both expect this format.
· Changed the format of packet dumps. Only the data is printed out, trailing zeros to fill the dump no longer appear. Trailing underscores appear instead to help make the display appear normal to those using variable pitch fonts.
· Added support for Expanded Types supporting vendor EAP packets and in the EAPPacket class according to RFC 3748 'Extensible Authentication Protocol (EAP)'. This includes an implementation of the Extended-NAK packets.
· EAPPacket.getIdentity() and EAPPacket.getIdentityBytes() both conform to RFC 3748 specifications that identity values may contain a NULL character (usually as a termination). The data portion prior to the null will be returned.
·
¤ Fixed a problem in the RADIUSClient - it was possible to get a null pointer exception using AV.lookup(A.Acct_Status_Type, "Start"). The static members of the AV class were not initialized. This is now done during the RADIUSClient startup.
· Added support for Disconnect-Messages and Change-of-Authorization messages. Disconnect & CoA messages are sent from the server to a client (the reverse direction of normal communication) to either attempt to disconnect a client or to change filters and so forth.
This is done through using the class com.theorem.radius3.dmcoaclient.DMCOAReceiver and it's call back mechanism the interface DMCOACallback.
· Fixed a problem in the RADIUSClient - it was possible to get a null pointer exception using AV.lookup(A.Acct_Status_Type, "Start"). The static members of the AV class were not initialized. This is now done during the RADIUSClient startup.
· Dictionaries have been integrated into the displaying of attributes (Attribute.toString()). There is not a RADIUSServer.addDictionary() method to add the contents of a RADIUS Dictionary to the server.
Similarly there is a RADIUSClient.addDictionary() method as well.
· The com.theorem.radserver3.dictionary.Dictionary class has been renamed to RADIUSDictionary owing to a conflict with java.util.Dictionary that would cause end consumers problems.
· The attribute Acct-Authentic was returning a data type of string from the method Attribute.getDataType(). It now returns the correct data type of integer. Other data types have been fixed as well.
¤ LEAP authentication has been introduced. LEAP is Cisco's proprietary Lightweight EAP authentication.
¤ The MSCHAP V2 authentication was not correctly re-calculating the confirmation of the MS_CHAP2_Success attribute. This has been fixed.
¤ Tunnel attributes are handled a little differently. Attribute.getAttributeData() returns the raw data. All other Attribute conversion (getIP(), getInt(), getString()) continue to work as expected. To get binary tunnel data please us the new Attribute.getTunnelValue() method.
· The AcctInfo.getLivingstonEntry() and getMSNTEntry() methods have been modified to extract tunnel attributes properly with the above change in mind.
· AttributeList has a new method: Attribute [] getVendorSpecific(int vendor, int vendorTag). This picks up all Vendor-Specific attributes of a particular type from all VSA's in the attribute block. This works in both VSA with multiple sub-attributes and multiple single valued VSA's. This saves on a lot of looping through the VSA's.
· Moved HMAC_MD5 from the radserver3 package to the radserver3.radutil package.
· Added support for Microsoft Point-to-Point Encryption Protocol (MPPE). The method is RADIUSClient.getMSCHAPMPPE(). It returns a new class, MPPE, holding the MPPE keys.
· Added a method to get the value of the RADIUS client debug flag: RADIUSClient.getDebugIndicator().
· Removed references to BitSet as half was written in JDK 1.3 and the other half written in JDK 1.4. BitArray() is now used instead to provide the functionality of BitSet. This preserves backwards compatibility with JDK 1.3.
· Added a Dictionary class that is able to read Livingston and FreeRadius style dictionaries. This class handles included files.
· Fixed a problem where duplicate response packet checking was not cleaning out old entries properly.
· The reset() method wasn't using the correct packet identifier generator. It was using a random number generator but not taking precautions against regenerating the same number repeatedly.
· Added client tests for correct packet size. There is a new Bad_Packet error ERROR_PACKET_SIZE indicating that the packet is either less than the minimum size or it's reported length is less than the physical length. which is V 3.23 September 24, 2003
· Added the Serializable interface to many classes to satisfy the requirements of the RADIUSLogin module.
· Added methods RADIUSClient.getPacketTypeName() and getPacketTypeName(int packetType) to allow the display of the returned packet type or any packet type respectively.
· The Ascend class has been added. It support the Ascend Vendor-Specific attribute.
· Changes to the MersenneTwister pseudo-random number generator required some small code changes that reduce the number of MD5 calculations.
· The RADIUSClient class can now can retrieve Tunnel-Password attributes using the getTunnelPassword(int tag) method.
· The display of tunnel data has been fixed in Attribute.toString(). The tunnel attribute data was no properly reconstituted after the method convertToTunnel() was used. This has also been fixed. The RADIUS server now proxies them correctly.
· Added three methods to Attribute to determine the probable data type of an attribute's payload data. Attribute.getDataType(), Attribute.getDataType(int tag), and setDataType(int tag, int dataType). The get() method return the values DATA_TYPE_DATE, DATA_TYPE_INTEGER, DATA_TYPE_IPADDRESS, DATA_TYPE_OCTETS, DATA_TYPE_STRING, and DATA_TYPE_UNKNOWN. Another data type is DATA_TYPE_TUNNEL which may be OR'd with any of the other types if the attribute is a tunnel attribute. Unless you're expecting to handle the tunnel attributes you may ignore the DATA_TYPE_TUNNEL data type.
· Fixed some problems with the RADIUSLogin JAAS module. It was throwing ClassCastExceptions amongst other problems. The working code somehow reverted to old code during one of the distributions.
· Fixed some problems with RADIUSLogin. For some reason some of the code creating a number of Callbacks had dissappeared.
· Fixed a synchronized() block error in AttributeName where it was possible to throw a ConcurrentModificationException under some debugging race conditions. AttributeName is largely used by the Attribute.toString() class.
· Complete overhaul of the JAAS login classes (login/RADIUSLogin module). Now there are callbacks for all RADIUS client response packet types. In addition the handler classes have been made more useful by the addition of infomational methods that indicate that a particular handler is to be consulted or not.
· Changed the name of the attribute Tunnel_Medium to Tunnel_Medium_Type as specified in RFC 2868. Also added Acct-Tunnel-Connection which was missing.
· Fixed the display of tunnel attributes - the first data byte was missing in some cases.
· Added the method AttributeList.setAttributeAt(int n, Attribute a) to compliment AttributeList.getAttribute(int n).
· Moved the DumpPacket class to the radutil directory.
· Added the class Replay to the radutil directory. This will replay packets extracted from the log files.
· Fixed a problem in RADIUSClient where passing a replay packet wasn't tracking the original authenticator and packet identifier. This would always result in an authenticator or packet id mismatch.
· The class AV contained inner classes that weren't declared static which caused some versions of the Java compiler to generate the error "Can't make a static reference to inner class ...". This has been fixed.
· Fixed a problem in the method EAPPacket.createNotificationResponse() where a null pointer exception was being thrown.
· IP V6 support added in Attribute / AttributeList / AccountingInfo classes. If your JVM is less than version 1.4 IPv6 references will probably generate UknownHostExceptions when creating or reading the attributes.
RFC 3162 - 'RADIUS and IPv6' specifies the following attributes as IP V6: NAS-IPv6-Address, Framed-Interface-Id, Framed-IPv6-Prefix, Login-IPv6-Host, Framed-IPv6-Route, and Framed-IPv6-Pool.
· The login.RADIUSLogin (JAAS) Login Module now returns attributes from an authentication through the CallBackHandler. See the example in examples/login/RADIUSHandler.java to see how this is done using the CallBack class ResponseAttributes.
· The Authinfo.createMSCHAP() method now produces two MS VS attributes when creating for the challenge and response values. This means that each MS VSA will only hold one value, one being the challenge and the other the response. Some servers can't understand multiple sub-attributes in a Vendor-Specific attribute.
· Added a RADIUSClient method authenticate(byte packet[]) to send 'replay' packets to the server.
· Added RADIUSClient.getError() and getErrorString() to get information on what caused a Access-BadPacket error.
· RADIUSClient now has a method to permit empty attributes from clients or other servers. The method is RADIUSClient.allowEmptyAttributes(boolean).
· Added duplicate packet checking.
· Added an EAP MD5 client. There is a base EAPClient class that can be extended to handle additional EAP authentication systems.
· MS-CHAP & MS-CHAP 2 is supported. There is one deviation from the standard - the User-Name is not converted to Unicode as it did not work on the test server, although the ASCII encoding worked. If you find a server that requires a Unicode name please let us know.
· Added two challenge methods to RADIUSClient: getChallenge16() and getChallenge8() to produce random challenges used by a variety of authentication schemes.
· Added more debugging output to the client when corrupt attributes are received.
· Added support for javax.security.auth.login.spi.LoginModule. The com.theorem.radserver3.login.RADIUSLogin class handles PAP and CHAP logins.
· Added methods to access the request authenticator and secret: getRequestAuthenticator() and getSecret().
· Added debugging ability to view packets as they come and go. Use RADIUSClient.setDebug(true) to enable debugging. The debugging information is sent to the standard error output or a file. The information includes the packet and it's attributes and the reason why a Access_BadPacket is returned by the authenticate() and accounting() methods. · Fixed a small problem in the test class radtest.java where the random number generator wasn't starting with a new number (this only affects the secure version but not the demo version). This could result in incorrect duplicate packet detection by the server.
· Deprecated authenticate(byte chapPassword[], AttributeList alist) as it is now redundant because of the above change.
· Fixed a problem with Attribute.getVendorID() where it used to return only two bytes instead of four.
· Added AttributeList.createCHAPChallenge(byte plaintextPassword[]) to allow clients to
create a simulated CHAP challenge
· Fixed some String.getByte()'s to use UTF8 instead of the default ASCII.
· Added more conversion methods to the Attribute class - getString() and getIP().
· Changed the AV class to contain sub-classes to avoid naming conflicts in attribute values. Instead of AV.Start it's AV.Acct_Status_Type.Start.
· RADIUSClient has a new method: authenticate(byte chapPassword[], AttributeList alist)
so a CHAP password can be sent as the authenticator.
· Added server log message to SessionManager to notify that packets are being dropped because there are too few session threads. It takes care to lightly impact additional thread drops by reporting only after a certain number of packets have been dropped and after a certain time has passed since the last occurrence. It also tracks this in the RADIUS MIB.
· Attribute and AttributeList classes have been improved for speed.
· Added RADIUSServer.setFastNAS() which short-circuits the string NAS checking and simply checks that the packet source IP address is in the NAS list. This defeats some server security to gain speed.
· Enhance AttributeList - it runs a little faster.
· Public release with documentation.
· Creation of classes from the RADIUSServer.
· Migrated RADIUSClient.convertToTunnel() to this version from Radius version 2.X.
· Added some additional methods:
{@link Attribute#getAttribute()} - returns the full attribute (TAG, LENGTH, DATA).
{@link AttributeList#exists(int)} - see if particular attribute exists in the list.
{@link AttributeList#dataSize()} - get the accumulated size of the attributes of a RADIUS packet
{@link AttributeList#size()} - get the number of attributes
{@link AttributeList#size(int)} - get the number of attributes of the given type.
{@link AttributeList#toHexString(byte [])} - Convert a byte array to a hex string.
{@link Radius#reset()} - Reset the RADIUS class for a new authentication or accounting.
{@link VendorSpecific#addVendor} - add a new vendor definition class.
· Fixed a problem with password encryption for empty passwords.
· Extended the client to include RFC's 2865 (Radius authentication), 2866 (Radius accounting), 2867(Tunnel protocol support, and 2869 (RADIUS extensions).
· Added a VendorSpecific class to handle Vendor-Specific attributes.
· Added a better way to access attributes through the Attribute, and AttributeList classes. These also support Tunnel Tags and toString() methods, including toString() for VendorSpecific attributes. Copied all Accounting attributes from RadiusAcct.java to RadiusStd.java. RadiusAcct.java is only present for backwards compatibility.
· There is also an A.java that holds the same list as RadiusStd.java but without the flags for interpreting other attribute properties. Rather than typing RadiusStd.NAS_IP_Address it's just A.NAS_IP_Address.
· Fixed a problem where explicit numeric attribute tags couldn't set data. Added support for 'RADIUS Attributes for Tunnel Protocol Support' (RFC 2868)