From 0b2bad06b24fd641c40a4825ea469b833c6b7557 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 5 Oct 2021 21:44:41 -0400 Subject: [PATCH] import freeradius-3.0.20-9.module+el8.5.0+12103+998f1584 --- ...eradius-FIPS-exit-if-md5-not-allowed.patch | 39 ++++++++ ...radius-Fix-resource-hard-limit-error.patch | 32 +++++++ .../freeradius-bootstrap-run-only-once.patch | 72 ++++++++++++++ SOURCES/freeradius-man-Fix-some-typos.patch | 93 +++++++++++++++++++ SOURCES/radiusd.service | 2 +- SPECS/freeradius.spec | 34 ++++++- 6 files changed, 270 insertions(+), 2 deletions(-) create mode 100644 SOURCES/freeradius-FIPS-exit-if-md5-not-allowed.patch create mode 100644 SOURCES/freeradius-Fix-resource-hard-limit-error.patch create mode 100644 SOURCES/freeradius-bootstrap-run-only-once.patch create mode 100644 SOURCES/freeradius-man-Fix-some-typos.patch diff --git a/SOURCES/freeradius-FIPS-exit-if-md5-not-allowed.patch b/SOURCES/freeradius-FIPS-exit-if-md5-not-allowed.patch new file mode 100644 index 0000000..6c677b9 --- /dev/null +++ b/SOURCES/freeradius-FIPS-exit-if-md5-not-allowed.patch @@ -0,0 +1,39 @@ +Author: Antonio Torres +Date: Fri Jul 2 07:12:48 2021 -0400 +Subject: [PATCH] exit if host in FIPS mode and MD5 not explicitly allowed + + FIPS does not allow MD5, which FreeRADIUS needs to work. The user should + explicitly allow MD5 usage by setting the RADIUS_MD5_FIPS_OVERRIDE environment + variable to 1 or else FR should exit at start. + + Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1958979 + Signed-off-by: Antonio Torres antorres@redhat.com +--- + src/main/radiusd.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/src/main/radiusd.c b/src/main/radiusd.c +index 9739514509..58a48895e6 100644 +--- a/src/main/radiusd.c ++++ b/src/main/radiusd.c +@@ -298,6 +298,20 @@ int main(int argc, char *argv[]) + exit(EXIT_FAILURE); + } + ++ /* ++ * If host is in FIPS mode, we need the user to explicitly allow MD5 usage. ++ */ ++ char *fips_md5_override = getenv("RADIUS_MD5_FIPS_OVERRIDE"); ++ FILE *fips_file = fopen("/proc/sys/crypto/fips_enabled", "r"); ++ if (fips_file != NULL) { ++ int fips_enabled = fgetc(fips_file) - '0'; ++ fclose(fips_file); ++ if (fips_enabled == 1 && (fips_md5_override == NULL || atoi(fips_md5_override) != 1)) { ++ fprintf(stderr, "Cannot run FreeRADIUS in FIPS mode because it uses MD5. To allow MD5 usage, set RADIUS_MD5_FIPS_OVERRIDE=1 before starting FreeRADIUS.\n"); ++ exit(EXIT_FAILURE); ++ } ++ } ++ + /* + * According to the talloc peeps, no two threads may modify any part of + * a ctx tree with a common root without synchronisation. diff --git a/SOURCES/freeradius-Fix-resource-hard-limit-error.patch b/SOURCES/freeradius-Fix-resource-hard-limit-error.patch new file mode 100644 index 0000000..800c06c --- /dev/null +++ b/SOURCES/freeradius-Fix-resource-hard-limit-error.patch @@ -0,0 +1,32 @@ +commit 1ce4508c92493cf03ea1b3c42e83540b387884fa +Author: Antonio Torres +Date: Fri Jul 2 07:12:48 2021 -0400 +Subject: [PATCH] debug: don't set resource hard limit to zero + + Setting the resource hard limit to zero is irreversible, meaning if it + is set to zero then there is no way to set it higher. This means + enabling core dump is not possible, since setting a new resource limit + for RLIMIT_CORE would fail. By only setting the soft limit to zero, we + can disable and enable core dumps without failures. + + This fix is present in both main and 3.0.x upstream branches. + + Ticket in RHEL Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1977572 + Signed-off-by: Antonio Torres antorres@redhat.com +--- + src/lib/debug.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/lib/debug.c b/src/lib/debug.c +index 576bcb2a65..6330c9cb66 100644 +--- a/src/lib/debug.c ++++ b/src/lib/debug.c +@@ -599,7 +599,7 @@ int fr_set_dumpable(bool allow_core_dumps) + struct rlimit no_core; + + no_core.rlim_cur = 0; +- no_core.rlim_max = 0; ++ no_core.rlim_max = core_limits.rlim_max; + + if (setrlimit(RLIMIT_CORE, &no_core) < 0) { + fr_strerror_printf("Failed disabling core dumps: %s", fr_syserror(errno)); diff --git a/SOURCES/freeradius-bootstrap-run-only-once.patch b/SOURCES/freeradius-bootstrap-run-only-once.patch new file mode 100644 index 0000000..ae12c4e --- /dev/null +++ b/SOURCES/freeradius-bootstrap-run-only-once.patch @@ -0,0 +1,72 @@ +Author: Antonio Torres +Date: Wed Jul 20 2021 +Subject: [PATCH] ensure bootstrap script is run only once + + The bootstrap script should only run once. By checking if there are + certificates in the directory, we can exit early if certificates were + already generated. + + Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1954521 + Signed-off-by: Antonio Torres antorres@redhat.com +--- + raddb/certs/README | 16 ++++++---------- + raddb/certs/bootstrap | 18 ++++++++++++------ + 2 files changed, 18 insertions(+), 16 deletions(-) + +diff --git a/raddb/certs/README b/raddb/certs/README +index 6288921da1..32413964dd 100644 +--- a/raddb/certs/README ++++ b/raddb/certs/README +@@ -29,17 +29,13 @@ the "ca_file", you permit them to masquerade as you, to authenticate + your users, and to issue client certificates for EAP-TLS. + + If FreeRADIUS was configured to use OpenSSL, then simply starting +-the server in root in debugging mode should also create test +-certificates, i.e.: ++the server in root mode should also create test certificates. + +-$ radiusd -X +- +- That will cause the EAP-TLS module to run the "bootstrap" script in +-this directory. The script will be executed only once, the first time +-the server has been installed on a particular machine. This bootstrap +-script SHOULD be run on installation of any pre-built binary package +-for your OS. In any case, the script will ensure that it is not run +-twice, and that it does not over-write any existing certificates. ++ The start of FreeRADIUS will cause to run the "bootstrap" script. ++The script will be executed during every start of FreeRADIUS via systemd but ++the script will ensure that it does not overwrite any existing certificates. ++Ideally, the bootstrap script file should be deleted after new testing certificates ++have been generated. + + If you already have CA and server certificates, rename (or delete) + this directory, and create a new "certs" directory containing your +diff --git a/raddb/certs/bootstrap b/raddb/certs/bootstrap +index 0f719aafd4..92254dc936 100755 +--- a/raddb/certs/bootstrap ++++ b/raddb/certs/bootstrap +@@ -1,12 +1,18 @@ + #!/bin/sh + # +-# This is a wrapper script to create default certificates when the +-# server first starts in debugging mode. Once the certificates have been +-# created, this file should be deleted. ++# Bootstrap script should be run only once. If there are already certificates ++# generated, skip the execution. ++# ++cd `dirname $0` ++if [ $(ls -l *.{pem,crt,key} 2>/dev/null | wc -l) != 0 ]; then ++ exit 0 ++fi ++ + # +-# Ideally, this program should be run as part of the installation of any +-# binary package. The installation should also ensure that the permissions +-# and owners are correct for the files generated by this script. ++# This is a wrapper script to create default certificates when the ++# server starts via systemd. It should also ensure that the ++# permissions and owners are correct for the generated files. Once ++# the certificates have been created, this file should be deleted. + # + # $Id: 0f719aafd4c9abcdefbf547dedb6e7312c535104 $ + # diff --git a/SOURCES/freeradius-man-Fix-some-typos.patch b/SOURCES/freeradius-man-Fix-some-typos.patch new file mode 100644 index 0000000..ad4e188 --- /dev/null +++ b/SOURCES/freeradius-man-Fix-some-typos.patch @@ -0,0 +1,93 @@ +From 285f6f1891e8e8acfeb7281136efdae50dbfbe78 Mon Sep 17 00:00:00 2001 +From: Nikolai Kondrashov +Date: Fri, 14 Sep 2018 11:53:28 +0300 +Subject: [PATCH] man: Fix some typos + +--- + man/man1/radzap.1 | 4 ++-- + man/man5/unlang.5 | 6 +++--- + man/man8/radcrypt.8 | 2 +- + man/man8/radiusd.8 | 4 ++-- + 4 files changed, 8 insertions(+), 8 deletions(-) + +diff --git a/man/man1/radzap.1 b/man/man1/radzap.1 +index a2d529d064..03b9a43a54 100644 +--- a/man/man1/radzap.1 ++++ b/man/man1/radzap.1 +@@ -1,4 +1,4 @@ +-.TH RADZAP 1 "8 April 2005" "" "FreeRadius Daemon" ++.TH RADZAP 1 "8 April 2005" "" "FreeRADIUS Daemon" + .SH NAME + radzap - remove rogue entries from the active sessions database + .SH SYNOPSIS +@@ -17,7 +17,7 @@ radzap - remove rogue entries from the active sessions database + .RB [ \-x ] + \fIserver[:port] secret\fP + .SH DESCRIPTION +-The FreeRadius server can be configured to maintain an active session ++The FreeRADIUS server can be configured to maintain an active session + database in a file called \fIradutmp\fP. Commands like \fBradwho\fP(1) + use this database. Sometimes that database can get out of sync, and + then it might contain rogue entries. \fBradzap\fP can clean up this +diff --git a/man/man5/unlang.5 b/man/man5/unlang.5 +index 40db5fa6e7..5f765f1787 100644 +--- a/man/man5/unlang.5 ++++ b/man/man5/unlang.5 +@@ -195,7 +195,7 @@ The can be one of "request", "reply", "proxy-request", + of Version 3, the can be omitted, in which case "request" is + assumed. + +-The "control" list is the list of attributes maintainted internally by ++The "control" list is the list of attributes maintained internally by + the server that controls how the server processes the request. Any + attribute that does not go in a packet on the network will generally + be placed in the "control" list. +@@ -397,7 +397,7 @@ Evaluates to true if 'foo' is a non-empty string (single quotes, double + quotes, or back-quoted). Also evaluates to true if 'foo' is a + non-zero number. Note that the language is poorly typed, so the + string "0000" can be interpreted as a numerical zero. This issue can +-be avoided by comparings strings to an empty string, rather than by ++be avoided by comparing strings to an empty string, rather than by + evaluating the string by itself. + + If the word 'foo' is not a quoted string, then it can be taken as a +@@ -854,7 +854,7 @@ failover tracking that nothing was done in the current section. + .IP ok + Instructs the server that the request was processed properly. This + keyword can be used to over-ride earlier failures, if the local +-administrator determines that the faiures are not catastrophic. ++administrator determines that the failures are not catastrophic. + .IP reject + Causes the request to be immediately rejected + .SH MODULE RETURN CODES +diff --git a/man/man8/radcrypt.8 b/man/man8/radcrypt.8 +index 08336c66f2..2917f60c46 100644 +--- a/man/man8/radcrypt.8 ++++ b/man/man8/radcrypt.8 +@@ -30,7 +30,7 @@ Use a MD5 (Message Digest 5) hash. + Ignored if performing a password check. + .IP "\-c --check" + Perform a validation check on a password hash to verify if it matches +-the plantext password. ++the plaintext password. + + .SH EXAMPLES + .nf +diff --git a/man/man8/radiusd.8 b/man/man8/radiusd.8 +index 98aef5e1be..2ef5ccf789 100644 +--- a/man/man8/radiusd.8 ++++ b/man/man8/radiusd.8 +@@ -211,11 +211,11 @@ This file is usually static. It defines all the possible RADIUS attributes + used in the other configuration files. You don't have to modify it. + It includes other dictionary files in the same directory. + .IP hints +-Defines certain hints to the radius server based on the users's loginname ++Defines certain hints to the radius server based on the users' loginname + or other attributes sent by the access server. It also provides for + mapping user names (such as Pusername -> username). This provides the + functionality that the \fILivingston 2.0\fP server has as "Prefix" and +-"Suffix" support in the \fIusers\fP file, but is more general. Ofcourse ++"Suffix" support in the \fIusers\fP file, but is more general. Of course + the Livingston way of doing things is also supported, and you can even use + both at the same time (within certain limits). + .IP huntgroups diff --git a/SOURCES/radiusd.service b/SOURCES/radiusd.service index d073530..a57ccf4 100644 --- a/SOURCES/radiusd.service +++ b/SOURCES/radiusd.service @@ -6,7 +6,7 @@ After=syslog.target network-online.target ipa.service dirsrv.target krb5kdc.serv Type=forking PIDFile=/var/run/radiusd/radiusd.pid ExecStartPre=-/bin/chown -R radiusd.radiusd /var/run/radiusd -ExecStartPre=/bin/sh /etc/raddb/certs/bootstrap +ExecStartPre=-/bin/sh /etc/raddb/certs/bootstrap ExecStartPre=/usr/sbin/radiusd -C ExecStart=/usr/sbin/radiusd -d /etc/raddb ExecReload=/usr/sbin/radiusd -C diff --git a/SPECS/freeradius.spec b/SPECS/freeradius.spec index 040a696..5212f84 100644 --- a/SPECS/freeradius.spec +++ b/SPECS/freeradius.spec @@ -9,7 +9,7 @@ Summary: High-performance and highly configurable free RADIUS server Name: freeradius Version: 3.0.20 -Release: 3%{?dist} +Release: 9%{?dist} License: GPLv2+ and LGPLv2+ Group: System Environment/Daemons URL: http://www.freeradius.org/ @@ -38,6 +38,10 @@ Patch5: freeradius-fixes-to-python3-module-since-v3.0.20.patch Patch6: freeradius-bootstrap-make-permissions.patch Patch7: freeradius-no-dh-param-load-FIPS.patch Patch8: freeradius-bootstrap-fixed-dhparam.patch +Patch9: freeradius-man-Fix-some-typos.patch +Patch10: freeradius-Fix-resource-hard-limit-error.patch +Patch11: freeradius-FIPS-exit-if-md5-not-allowed.patch +Patch12: freeradius-bootstrap-run-only-once.patch %global docdir %{?_pkgdocdir}%{!?_pkgdocdir:%{_docdir}/%{name}-%{version}} @@ -234,6 +238,10 @@ This plugin provides the REST support for the FreeRADIUS server project. %patch6 -p1 %patch7 -p1 %patch8 -p1 +%patch9 -p1 +%patch10 -p1 +%patch11 -p1 +%patch12 -p1 # Add fixed dhparam file to the source to ensure `make tests` can run. cp %{SOURCE105} raddb/certs/rfc3526-group-18-8192.dhparam @@ -884,6 +892,30 @@ exit 0 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/rest %changelog +* Tue Aug 03 2021 Antonio Torres - 3.0.20-9 +- radiusd.service: don't fail if bootstrap script is not present + Resolves: bz#1954521 + +* Fri Jul 30 2021 Antonio Torres - 3.0.20-8 +- Extend info about boostrap script in README and comments + Resolves: bz#1954521 + +* Wed Jul 21 2021 Antonio Torres - 3.0.20-7 +- Ensure bootstrap script is run only once + Resolves: bz#1954521 + +* Mon Jul 19 2021 Antonio Torres - 3.0.20-6 +- Exit if host in FIPS mode and MD5 usage not explicitly allowed + Resolves: bz#1958979 + +* Mon Jul 19 2021 Antonio Torres - 3.0.20-5 +- Fix coredump not being able to be enabled + Resolves: bz#1977572 + +* Mon Jul 19 2021 Antonio Torres - 3.0.20-4 +- Fix some manpage typos + Resolves: bz#1843807 + * Thu Aug 06 2020 Alexander Scheel - 3.0.20-3 - Require make for proper bootstrap execution, removes post script Resolves: bz#1672285