import freeradius-3.0.20-9.module+el8.5.0+12103+998f1584

This commit is contained in:
CentOS Sources 2021-10-05 21:44:41 -04:00 committed by Stepan Oksanichenko
parent 13e6db7b89
commit 0b2bad06b2
6 changed files with 270 additions and 2 deletions

View File

@ -0,0 +1,39 @@
Author: Antonio Torres <antorres@redhat.com>
Date: Fri Jul 2 07:12:48 2021 -0400
Subject: [PATCH] exit if host in FIPS mode and MD5 not explicitly allowed
FIPS does not allow MD5, which FreeRADIUS needs to work. The user should
explicitly allow MD5 usage by setting the RADIUS_MD5_FIPS_OVERRIDE environment
variable to 1 or else FR should exit at start.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1958979
Signed-off-by: Antonio Torres antorres@redhat.com
---
src/main/radiusd.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/src/main/radiusd.c b/src/main/radiusd.c
index 9739514509..58a48895e6 100644
--- a/src/main/radiusd.c
+++ b/src/main/radiusd.c
@@ -298,6 +298,20 @@ int main(int argc, char *argv[])
exit(EXIT_FAILURE);
}
+ /*
+ * If host is in FIPS mode, we need the user to explicitly allow MD5 usage.
+ */
+ char *fips_md5_override = getenv("RADIUS_MD5_FIPS_OVERRIDE");
+ FILE *fips_file = fopen("/proc/sys/crypto/fips_enabled", "r");
+ if (fips_file != NULL) {
+ int fips_enabled = fgetc(fips_file) - '0';
+ fclose(fips_file);
+ if (fips_enabled == 1 && (fips_md5_override == NULL || atoi(fips_md5_override) != 1)) {
+ fprintf(stderr, "Cannot run FreeRADIUS in FIPS mode because it uses MD5. To allow MD5 usage, set RADIUS_MD5_FIPS_OVERRIDE=1 before starting FreeRADIUS.\n");
+ exit(EXIT_FAILURE);
+ }
+ }
+
/*
* According to the talloc peeps, no two threads may modify any part of
* a ctx tree with a common root without synchronisation.

View File

@ -0,0 +1,32 @@
commit 1ce4508c92493cf03ea1b3c42e83540b387884fa
Author: Antonio Torres <antorres@redhat.com>
Date: Fri Jul 2 07:12:48 2021 -0400
Subject: [PATCH] debug: don't set resource hard limit to zero
Setting the resource hard limit to zero is irreversible, meaning if it
is set to zero then there is no way to set it higher. This means
enabling core dump is not possible, since setting a new resource limit
for RLIMIT_CORE would fail. By only setting the soft limit to zero, we
can disable and enable core dumps without failures.
This fix is present in both main and 3.0.x upstream branches.
Ticket in RHEL Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1977572
Signed-off-by: Antonio Torres antorres@redhat.com
---
src/lib/debug.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/lib/debug.c b/src/lib/debug.c
index 576bcb2a65..6330c9cb66 100644
--- a/src/lib/debug.c
+++ b/src/lib/debug.c
@@ -599,7 +599,7 @@ int fr_set_dumpable(bool allow_core_dumps)
struct rlimit no_core;
no_core.rlim_cur = 0;
- no_core.rlim_max = 0;
+ no_core.rlim_max = core_limits.rlim_max;
if (setrlimit(RLIMIT_CORE, &no_core) < 0) {
fr_strerror_printf("Failed disabling core dumps: %s", fr_syserror(errno));

View File

@ -0,0 +1,72 @@
Author: Antonio Torres <antorres@redhat.com>
Date: Wed Jul 20 2021
Subject: [PATCH] ensure bootstrap script is run only once
The bootstrap script should only run once. By checking if there are
certificates in the directory, we can exit early if certificates were
already generated.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1954521
Signed-off-by: Antonio Torres antorres@redhat.com
---
raddb/certs/README | 16 ++++++----------
raddb/certs/bootstrap | 18 ++++++++++++------
2 files changed, 18 insertions(+), 16 deletions(-)
diff --git a/raddb/certs/README b/raddb/certs/README
index 6288921da1..32413964dd 100644
--- a/raddb/certs/README
+++ b/raddb/certs/README
@@ -29,17 +29,13 @@ the "ca_file", you permit them to masquerade as you, to authenticate
your users, and to issue client certificates for EAP-TLS.
If FreeRADIUS was configured to use OpenSSL, then simply starting
-the server in root in debugging mode should also create test
-certificates, i.e.:
+the server in root mode should also create test certificates.
-$ radiusd -X
-
- That will cause the EAP-TLS module to run the "bootstrap" script in
-this directory. The script will be executed only once, the first time
-the server has been installed on a particular machine. This bootstrap
-script SHOULD be run on installation of any pre-built binary package
-for your OS. In any case, the script will ensure that it is not run
-twice, and that it does not over-write any existing certificates.
+ The start of FreeRADIUS will cause to run the "bootstrap" script.
+The script will be executed during every start of FreeRADIUS via systemd but
+the script will ensure that it does not overwrite any existing certificates.
+Ideally, the bootstrap script file should be deleted after new testing certificates
+have been generated.
If you already have CA and server certificates, rename (or delete)
this directory, and create a new "certs" directory containing your
diff --git a/raddb/certs/bootstrap b/raddb/certs/bootstrap
index 0f719aafd4..92254dc936 100755
--- a/raddb/certs/bootstrap
+++ b/raddb/certs/bootstrap
@@ -1,12 +1,18 @@
#!/bin/sh
#
-# This is a wrapper script to create default certificates when the
-# server first starts in debugging mode. Once the certificates have been
-# created, this file should be deleted.
+# Bootstrap script should be run only once. If there are already certificates
+# generated, skip the execution.
+#
+cd `dirname $0`
+if [ $(ls -l *.{pem,crt,key} 2>/dev/null | wc -l) != 0 ]; then
+ exit 0
+fi
+
#
-# Ideally, this program should be run as part of the installation of any
-# binary package. The installation should also ensure that the permissions
-# and owners are correct for the files generated by this script.
+# This is a wrapper script to create default certificates when the
+# server starts via systemd. It should also ensure that the
+# permissions and owners are correct for the generated files. Once
+# the certificates have been created, this file should be deleted.
#
# $Id: 0f719aafd4c9abcdefbf547dedb6e7312c535104 $
#

View File

@ -0,0 +1,93 @@
From 285f6f1891e8e8acfeb7281136efdae50dbfbe78 Mon Sep 17 00:00:00 2001
From: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
Date: Fri, 14 Sep 2018 11:53:28 +0300
Subject: [PATCH] man: Fix some typos
---
man/man1/radzap.1 | 4 ++--
man/man5/unlang.5 | 6 +++---
man/man8/radcrypt.8 | 2 +-
man/man8/radiusd.8 | 4 ++--
4 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/man/man1/radzap.1 b/man/man1/radzap.1
index a2d529d064..03b9a43a54 100644
--- a/man/man1/radzap.1
+++ b/man/man1/radzap.1
@@ -1,4 +1,4 @@
-.TH RADZAP 1 "8 April 2005" "" "FreeRadius Daemon"
+.TH RADZAP 1 "8 April 2005" "" "FreeRADIUS Daemon"
.SH NAME
radzap - remove rogue entries from the active sessions database
.SH SYNOPSIS
@@ -17,7 +17,7 @@ radzap - remove rogue entries from the active sessions database
.RB [ \-x ]
\fIserver[:port] secret\fP
.SH DESCRIPTION
-The FreeRadius server can be configured to maintain an active session
+The FreeRADIUS server can be configured to maintain an active session
database in a file called \fIradutmp\fP. Commands like \fBradwho\fP(1)
use this database. Sometimes that database can get out of sync, and
then it might contain rogue entries. \fBradzap\fP can clean up this
diff --git a/man/man5/unlang.5 b/man/man5/unlang.5
index 40db5fa6e7..5f765f1787 100644
--- a/man/man5/unlang.5
+++ b/man/man5/unlang.5
@@ -195,7 +195,7 @@ The <list> can be one of "request", "reply", "proxy-request",
of Version 3, the <list> can be omitted, in which case "request" is
assumed.
-The "control" list is the list of attributes maintainted internally by
+The "control" list is the list of attributes maintained internally by
the server that controls how the server processes the request. Any
attribute that does not go in a packet on the network will generally
be placed in the "control" list.
@@ -397,7 +397,7 @@ Evaluates to true if 'foo' is a non-empty string (single quotes, double
quotes, or back-quoted). Also evaluates to true if 'foo' is a
non-zero number. Note that the language is poorly typed, so the
string "0000" can be interpreted as a numerical zero. This issue can
-be avoided by comparings strings to an empty string, rather than by
+be avoided by comparing strings to an empty string, rather than by
evaluating the string by itself.
If the word 'foo' is not a quoted string, then it can be taken as a
@@ -854,7 +854,7 @@ failover tracking that nothing was done in the current section.
.IP ok
Instructs the server that the request was processed properly. This
keyword can be used to over-ride earlier failures, if the local
-administrator determines that the faiures are not catastrophic.
+administrator determines that the failures are not catastrophic.
.IP reject
Causes the request to be immediately rejected
.SH MODULE RETURN CODES
diff --git a/man/man8/radcrypt.8 b/man/man8/radcrypt.8
index 08336c66f2..2917f60c46 100644
--- a/man/man8/radcrypt.8
+++ b/man/man8/radcrypt.8
@@ -30,7 +30,7 @@ Use a MD5 (Message Digest 5) hash.
Ignored if performing a password check.
.IP "\-c --check"
Perform a validation check on a password hash to verify if it matches
-the plantext password.
+the plaintext password.
.SH EXAMPLES
.nf
diff --git a/man/man8/radiusd.8 b/man/man8/radiusd.8
index 98aef5e1be..2ef5ccf789 100644
--- a/man/man8/radiusd.8
+++ b/man/man8/radiusd.8
@@ -211,11 +211,11 @@ This file is usually static. It defines all the possible RADIUS attributes
used in the other configuration files. You don't have to modify it.
It includes other dictionary files in the same directory.
.IP hints
-Defines certain hints to the radius server based on the users's loginname
+Defines certain hints to the radius server based on the users' loginname
or other attributes sent by the access server. It also provides for
mapping user names (such as Pusername -> username). This provides the
functionality that the \fILivingston 2.0\fP server has as "Prefix" and
-"Suffix" support in the \fIusers\fP file, but is more general. Ofcourse
+"Suffix" support in the \fIusers\fP file, but is more general. Of course
the Livingston way of doing things is also supported, and you can even use
both at the same time (within certain limits).
.IP huntgroups

View File

@ -6,7 +6,7 @@ After=syslog.target network-online.target ipa.service dirsrv.target krb5kdc.serv
Type=forking
PIDFile=/var/run/radiusd/radiusd.pid
ExecStartPre=-/bin/chown -R radiusd.radiusd /var/run/radiusd
ExecStartPre=/bin/sh /etc/raddb/certs/bootstrap
ExecStartPre=-/bin/sh /etc/raddb/certs/bootstrap
ExecStartPre=/usr/sbin/radiusd -C
ExecStart=/usr/sbin/radiusd -d /etc/raddb
ExecReload=/usr/sbin/radiusd -C

View File

@ -9,7 +9,7 @@
Summary: High-performance and highly configurable free RADIUS server
Name: freeradius
Version: 3.0.20
Release: 3%{?dist}
Release: 9%{?dist}
License: GPLv2+ and LGPLv2+
Group: System Environment/Daemons
URL: http://www.freeradius.org/
@ -38,6 +38,10 @@ Patch5: freeradius-fixes-to-python3-module-since-v3.0.20.patch
Patch6: freeradius-bootstrap-make-permissions.patch
Patch7: freeradius-no-dh-param-load-FIPS.patch
Patch8: freeradius-bootstrap-fixed-dhparam.patch
Patch9: freeradius-man-Fix-some-typos.patch
Patch10: freeradius-Fix-resource-hard-limit-error.patch
Patch11: freeradius-FIPS-exit-if-md5-not-allowed.patch
Patch12: freeradius-bootstrap-run-only-once.patch
%global docdir %{?_pkgdocdir}%{!?_pkgdocdir:%{_docdir}/%{name}-%{version}}
@ -234,6 +238,10 @@ This plugin provides the REST support for the FreeRADIUS server project.
%patch6 -p1
%patch7 -p1
%patch8 -p1
%patch9 -p1
%patch10 -p1
%patch11 -p1
%patch12 -p1
# Add fixed dhparam file to the source to ensure `make tests` can run.
cp %{SOURCE105} raddb/certs/rfc3526-group-18-8192.dhparam
@ -884,6 +892,30 @@ exit 0
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/rest
%changelog
* Tue Aug 03 2021 Antonio Torres <antorres@redhat.com> - 3.0.20-9
- radiusd.service: don't fail if bootstrap script is not present
Resolves: bz#1954521
* Fri Jul 30 2021 Antonio Torres <antorres@redhat.com> - 3.0.20-8
- Extend info about boostrap script in README and comments
Resolves: bz#1954521
* Wed Jul 21 2021 Antonio Torres <antorres@redhat.com> - 3.0.20-7
- Ensure bootstrap script is run only once
Resolves: bz#1954521
* Mon Jul 19 2021 Antonio Torres <antorres@redhat.com> - 3.0.20-6
- Exit if host in FIPS mode and MD5 usage not explicitly allowed
Resolves: bz#1958979
* Mon Jul 19 2021 Antonio Torres <antorres@redhat.com> - 3.0.20-5
- Fix coredump not being able to be enabled
Resolves: bz#1977572
* Mon Jul 19 2021 Antonio Torres <antorres@redhat.com> - 3.0.20-4
- Fix some manpage typos
Resolves: bz#1843807
* Thu Aug 06 2020 Alexander Scheel <ascheel@redhat.com> - 3.0.20-3
- Require make for proper bootstrap execution, removes post script
Resolves: bz#1672285