import freeradius-3.0.20-9.module+el8.5.0+12103+998f1584

2021-10-05 21:44:41 -04:00 · 2021-10-05 21:44:41 -04:00 · 0b2bad06b2
commit 0b2bad06b2
parent 13e6db7b89
6 changed files with 270 additions and 2 deletions
--- a/SOURCES/freeradius-FIPS-exit-if-md5-not-allowed.patch
+++ b/SOURCES/freeradius-FIPS-exit-if-md5-not-allowed.patch
@ -0,0 +1,39 @@
 Author: Antonio Torres <antorres@redhat.com>
 Date:   Fri Jul 2 07:12:48 2021 -0400
 Subject: [PATCH] exit if host in FIPS mode and MD5 not explicitly allowed
 	FIPS does not allow MD5, which FreeRADIUS needs to work. The user should
 	explicitly allow MD5 usage by setting the RADIUS_MD5_FIPS_OVERRIDE environment
 	variable to 1 or else FR should exit at start.
 	Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1958979
 	Signed-off-by: Antonio Torres antorres@redhat.com
 ---
 src/main/radiusd.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)
 diff --git a/src/main/radiusd.c b/src/main/radiusd.c
 index 9739514509..58a48895e6 100644
 --- a/src/main/radiusd.c
 +++ b/src/main/radiusd.c
@@ -298,6 +298,20 @@ int main(int argc, char *argv[])
 		exit(EXIT_FAILURE);
 	}
 +	/*
 +	 *  If host is in FIPS mode, we need the user to explicitly allow MD5 usage.
 +	 */
 +	char *fips_md5_override = getenv("RADIUS_MD5_FIPS_OVERRIDE");
 +	FILE *fips_file = fopen("/proc/sys/crypto/fips_enabled", "r");
 +	if (fips_file != NULL) {
 +		int fips_enabled = fgetc(fips_file) - '0';
 +		fclose(fips_file);
 +		if (fips_enabled == 1 && (fips_md5_override == NULL || atoi(fips_md5_override) != 1)) {
 +			fprintf(stderr, "Cannot run FreeRADIUS in FIPS mode because it uses MD5. To allow MD5 usage, set RADIUS_MD5_FIPS_OVERRIDE=1 before starting FreeRADIUS.\n");
 +			exit(EXIT_FAILURE);
 +		}
 +	}
 +
 	/*
 	 *  According to the talloc peeps, no two threads may modify any part of
 	 *  a ctx tree with a common root without synchronisation.
--- a/SOURCES/freeradius-Fix-resource-hard-limit-error.patch
+++ b/SOURCES/freeradius-Fix-resource-hard-limit-error.patch
@ -0,0 +1,32 @@
 commit 1ce4508c92493cf03ea1b3c42e83540b387884fa
 Author: Antonio Torres <antorres@redhat.com>
 Date:   Fri Jul 2 07:12:48 2021 -0400
 Subject: [PATCH] debug: don't set resource hard limit to zero
    Setting the resource hard limit to zero is irreversible, meaning if it
    is set to zero then there is no way to set it higher. This means
    enabling core dump is not possible, since setting a new resource limit
    for RLIMIT_CORE would fail. By only setting the soft limit to zero, we
    can disable and enable core dumps without failures.
    This fix is present in both main and 3.0.x upstream branches.
    Ticket in RHEL Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1977572
    Signed-off-by: Antonio Torres antorres@redhat.com
 ---
 src/lib/debug.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/src/lib/debug.c b/src/lib/debug.c
 index 576bcb2a65..6330c9cb66 100644
 --- a/src/lib/debug.c
 +++ b/src/lib/debug.c
@@ -599,7 +599,7 @@ int fr_set_dumpable(bool allow_core_dumps)
 		struct rlimit no_core;
 		no_core.rlim_cur = 0;
 -		no_core.rlim_max = 0;
 +		no_core.rlim_max = core_limits.rlim_max;
 		if (setrlimit(RLIMIT_CORE, &no_core) < 0) {
 			fr_strerror_printf("Failed disabling core dumps: %s", fr_syserror(errno));
--- a/SOURCES/freeradius-bootstrap-run-only-once.patch
+++ b/SOURCES/freeradius-bootstrap-run-only-once.patch
@ -0,0 +1,72 @@
 Author: Antonio Torres <antorres@redhat.com>
 Date:   Wed Jul 20 2021
 Subject: [PATCH] ensure bootstrap script is run only once
 	The bootstrap script should only run once. By checking if there are
 	certificates in the directory, we can exit early if certificates were
 	already generated.
 	Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1954521
 	Signed-off-by: Antonio Torres antorres@redhat.com
 ---
 raddb/certs/README    | 16 ++++++----------
 raddb/certs/bootstrap | 18 ++++++++++++------
 2 files changed, 18 insertions(+), 16 deletions(-)
 diff --git a/raddb/certs/README b/raddb/certs/README
 index 6288921da1..32413964dd 100644
 --- a/raddb/certs/README
 +++ b/raddb/certs/README
@@ -29,17 +29,13 @@ the "ca_file", you permit them to masquerade as you, to authenticate
 your users, and to issue client certificates for EAP-TLS.
   If FreeRADIUS was configured to use OpenSSL, then simply starting
 -the server in root in debugging mode should also create test
 -certificates, i.e.:
 +the server in root mode should also create test certificates.
 -$ radiusd -X
 -
 -  That will cause the EAP-TLS module to run the "bootstrap" script in
 -this directory.  The script will be executed only once, the first time
 -the server has been installed on a particular machine.  This bootstrap
 -script SHOULD be run on installation of any pre-built binary package
 -for your OS.  In any case, the script will ensure that it is not run
 -twice, and that it does not over-write any existing certificates.
 +  The start of FreeRADIUS will cause to run the "bootstrap" script.
 +The script will be executed during every start of FreeRADIUS via systemd but
 +the script will ensure that it does not overwrite any existing certificates.
 +Ideally, the bootstrap script file should be deleted after new testing certificates
 +have been generated.
   If you already have CA and server certificates, rename (or delete)
 this directory, and create a new "certs" directory containing your
 diff --git a/raddb/certs/bootstrap b/raddb/certs/bootstrap
 index 0f719aafd4..92254dc936 100755
 --- a/raddb/certs/bootstrap
 +++ b/raddb/certs/bootstrap
@@ -1,12 +1,18 @@
 #!/bin/sh
 #
 -#  This is a wrapper script to create default certificates when the
 -#  server first starts in debugging mode.  Once the certificates have been
 -#  created, this file should be deleted.
 +# Bootstrap script should be run only once. If there are already certificates
 +# generated, skip the execution.
 +#
 +cd `dirname $0`
 +if [ $(ls -l *.{pem,crt,key} 2>/dev/null | wc -l) != 0 ]; then
 +  exit 0
 +fi
 +
 #
 -#  Ideally, this program should be run as part of the installation of any
 -#  binary package.  The installation should also ensure that the permissions
 -#  and owners are correct for the files generated by this script.
 +#  This is a wrapper script to create default certificates when the
 +#  server starts via systemd. It should also ensure that the
 +#  permissions and owners are correct for the generated files. Once
 +# the certificates have been created, this file should be deleted.
 #
 #  $Id: 0f719aafd4c9abcdefbf547dedb6e7312c535104 $
 #
--- a/SOURCES/freeradius-man-Fix-some-typos.patch
+++ b/SOURCES/freeradius-man-Fix-some-typos.patch
@ -0,0 +1,93 @@
 From 285f6f1891e8e8acfeb7281136efdae50dbfbe78 Mon Sep 17 00:00:00 2001
 From: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
 Date: Fri, 14 Sep 2018 11:53:28 +0300
 Subject: [PATCH] man: Fix some typos
 ---
 man/man1/radzap.1   | 4 ++--
 man/man5/unlang.5   | 6 +++---
 man/man8/radcrypt.8 | 2 +-
 man/man8/radiusd.8  | 4 ++--
 4 files changed, 8 insertions(+), 8 deletions(-)
 diff --git a/man/man1/radzap.1 b/man/man1/radzap.1
 index a2d529d064..03b9a43a54 100644
 --- a/man/man1/radzap.1
 +++ b/man/man1/radzap.1
@@ -1,4 +1,4 @@
 -.TH RADZAP 1 "8 April 2005" "" "FreeRadius Daemon"
 +.TH RADZAP 1 "8 April 2005" "" "FreeRADIUS Daemon"
 .SH NAME
 radzap - remove rogue entries from the active sessions database
 .SH SYNOPSIS
@@ -17,7 +17,7 @@ radzap - remove rogue entries from the active sessions database
 .RB [ \-x ]
 \fIserver[:port] secret\fP
 .SH DESCRIPTION
 -The FreeRadius server can be configured to maintain an active session
 +The FreeRADIUS server can be configured to maintain an active session
 database in a file called \fIradutmp\fP. Commands like \fBradwho\fP(1)
 use this database. Sometimes that database can get out of sync, and
 then it might contain rogue entries. \fBradzap\fP can clean up this
 diff --git a/man/man5/unlang.5 b/man/man5/unlang.5
 index 40db5fa6e7..5f765f1787 100644
 --- a/man/man5/unlang.5
 +++ b/man/man5/unlang.5
@@ -195,7 +195,7 @@ The <list> can be one of "request", "reply", "proxy-request",
 of Version 3, the <list> can be omitted, in which case "request" is
 assumed.
 -The "control" list is the list of attributes maintainted internally by
 +The "control" list is the list of attributes maintained internally by
 the server that controls how the server processes the request.  Any
 attribute that does not go in a packet on the network will generally
 be placed in the "control" list.
@@ -397,7 +397,7 @@ Evaluates to true if 'foo' is a non-empty string (single quotes, double
 quotes, or back-quoted).  Also evaluates to true if 'foo' is a
 non-zero number.  Note that the language is poorly typed, so the
 string "0000" can be interpreted as a numerical zero.  This issue can
 -be avoided by comparings strings to an empty string, rather than by
 +be avoided by comparing strings to an empty string, rather than by
 evaluating the string by itself.
 If the word 'foo' is not a quoted string, then it can be taken as a
@@ -854,7 +854,7 @@ failover tracking that nothing was done in the current section.
 .IP ok
 Instructs the server that the request was processed properly.  This
 keyword can be used to over-ride earlier failures, if the local
 -administrator determines that the faiures are not catastrophic.
 +administrator determines that the failures are not catastrophic.
 .IP reject
 Causes the request to be immediately rejected
 .SH MODULE RETURN CODES
 diff --git a/man/man8/radcrypt.8 b/man/man8/radcrypt.8
 index 08336c66f2..2917f60c46 100644
 --- a/man/man8/radcrypt.8
 +++ b/man/man8/radcrypt.8
@@ -30,7 +30,7 @@ Use a MD5 (Message Digest 5) hash.
 Ignored if performing a password check.
 .IP "\-c --check"
 Perform a validation check on a password hash to verify if it matches
 -the plantext password.
 +the plaintext password.
 .SH EXAMPLES
 .nf
 diff --git a/man/man8/radiusd.8 b/man/man8/radiusd.8
 index 98aef5e1be..2ef5ccf789 100644
 --- a/man/man8/radiusd.8
 +++ b/man/man8/radiusd.8
@@ -211,11 +211,11 @@ This file is usually static. It defines all the possible RADIUS attributes
 used in the other configuration files.  You don't have to modify it.
 It includes other dictionary files in the same directory.
 .IP hints
 -Defines certain hints to the radius server based on the users's loginname
 +Defines certain hints to the radius server based on the users' loginname
 or other attributes sent by the access server. It also provides for
 mapping user names (such as Pusername -> username). This provides the
 functionality that the \fILivingston 2.0\fP server has as "Prefix" and
 -"Suffix" support in the \fIusers\fP file, but is more general. Ofcourse
 +"Suffix" support in the \fIusers\fP file, but is more general. Of course
 the Livingston way of doing things is also supported, and you can even use
 both at the same time (within certain limits).
 .IP huntgroups
--- a/SOURCES/radiusd.service
+++ b/SOURCES/radiusd.service
@ -6,7 +6,7 @@ After=syslog.target network-online.target ipa.service dirsrv.target krb5kdc.serv
 Type=forking
 PIDFile=/var/run/radiusd/radiusd.pid
 ExecStartPre=-/bin/chown -R radiusd.radiusd /var/run/radiusd
-ExecStartPre=/bin/sh /etc/raddb/certs/bootstrap
+ExecStartPre=-/bin/sh /etc/raddb/certs/bootstrap
 ExecStartPre=/usr/sbin/radiusd -C
 ExecStart=/usr/sbin/radiusd -d /etc/raddb
 ExecReload=/usr/sbin/radiusd -C
--- a/SPECS/freeradius.spec
+++ b/SPECS/freeradius.spec
@ -9,7 +9,7 @@
 Summary: High-performance and highly configurable free RADIUS server
 Name: freeradius
 Version: 3.0.20
-Release: 3%{?dist}
+Release: 9%{?dist}
 License: GPLv2+ and LGPLv2+
 Group: System Environment/Daemons
 URL: http://www.freeradius.org/
@ -38,6 +38,10 @@ Patch5: freeradius-fixes-to-python3-module-since-v3.0.20.patch
 Patch6: freeradius-bootstrap-make-permissions.patch
 Patch7: freeradius-no-dh-param-load-FIPS.patch
 Patch8: freeradius-bootstrap-fixed-dhparam.patch
 Patch9: freeradius-man-Fix-some-typos.patch
 Patch10: freeradius-Fix-resource-hard-limit-error.patch
 Patch11: freeradius-FIPS-exit-if-md5-not-allowed.patch
 Patch12: freeradius-bootstrap-run-only-once.patch
 %global docdir %{?_pkgdocdir}%{!?_pkgdocdir:%{_docdir}/%{name}-%{version}}
@ -234,6 +238,10 @@ This plugin provides the REST support for the FreeRADIUS server project.
 %patch6 -p1
 %patch7 -p1
 %patch8 -p1
 %patch9 -p1
 %patch10 -p1
 %patch11 -p1
 %patch12 -p1
 # Add fixed dhparam file to the source to ensure `make tests` can run.
 cp %{SOURCE105} raddb/certs/rfc3526-group-18-8192.dhparam
@ -884,6 +892,30 @@ exit 0
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/rest
 %changelog
 * Tue Aug 03 2021 Antonio Torres <antorres@redhat.com> - 3.0.20-9
 - radiusd.service: don't fail if bootstrap script is not present
  Resolves: bz#1954521
 * Fri Jul 30 2021 Antonio Torres <antorres@redhat.com> - 3.0.20-8
 - Extend info about boostrap script in README and comments
  Resolves: bz#1954521
 * Wed Jul 21 2021 Antonio Torres <antorres@redhat.com> - 3.0.20-7
 - Ensure bootstrap script is run only once
  Resolves: bz#1954521
 * Mon Jul 19 2021 Antonio Torres <antorres@redhat.com> - 3.0.20-6
 - Exit if host in FIPS mode and MD5 usage not explicitly allowed
  Resolves: bz#1958979
 * Mon Jul 19 2021 Antonio Torres <antorres@redhat.com> - 3.0.20-5
 - Fix coredump not being able to be enabled
  Resolves: bz#1977572
 * Mon Jul 19 2021 Antonio Torres <antorres@redhat.com> - 3.0.20-4
 - Fix some manpage typos
  Resolves: bz#1843807
 * Thu Aug 06 2020 Alexander Scheel <ascheel@redhat.com> - 3.0.20-3
 - Require make for proper bootstrap execution, removes post script
  Resolves: bz#1672285