diff --git a/.freeradius.metadata b/.freeradius.metadata index d4ef592..69b8b0b 100644 --- a/.freeradius.metadata +++ b/.freeradius.metadata @@ -1 +1 @@ -a0d4372ee124cbee6b90a4463ff068afe70e06ca SOURCES/freeradius-server-3.0.17.tar.bz2 +3dd0e18fa04aff410876309e4322313b700db2b7 SOURCES/freeradius-server-3.0.20.tar.bz2 diff --git a/.gitignore b/.gitignore index b0e4a33..87a728a 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/freeradius-server-3.0.17.tar.bz2 +SOURCES/freeradius-server-3.0.20.tar.bz2 diff --git a/SOURCES/freeradius-Add-missing-option-descriptions.patch b/SOURCES/freeradius-Add-missing-option-descriptions.patch deleted file mode 100644 index 4138b4f..0000000 --- a/SOURCES/freeradius-Add-missing-option-descriptions.patch +++ /dev/null @@ -1,97 +0,0 @@ -From afb196b29606aafb5030e8c7ea414a4bd494cbc0 Mon Sep 17 00:00:00 2001 -From: Nikolai Kondrashov -Date: Fri, 14 Sep 2018 12:20:11 +0300 -Subject: [PATCH] man: Add missing option descriptions - ---- - man/man8/raddebug.8 | 4 ++++ - man/man8/radiusd.8 | 7 +++++++ - man/man8/radmin.8 | 4 ++++ - 3 files changed, 15 insertions(+) - -diff --git a/man/man8/raddebug.8 b/man/man8/raddebug.8 -index 66e80e64fa..6e27e2453c 100644 ---- a/man/man8/raddebug.8 -+++ b/man/man8/raddebug.8 -@@ -7,6 +7,8 @@ raddebug - Display debugging output from a running server. - .IR condition ] - .RB [ \-d - .IR config_directory ] -+.RB [ \-D -+.IR dictionary_directory ] - .RB [ \-n - .IR name ] - .RB [ \-i -@@ -73,6 +75,8 @@ option is equivalent to using: - .IP "\-d \fIconfig directory\fP" - The radius configuration directory, usually /etc/raddb. See the - \fIradmin\fP manual page for more description of this option. -+.IP "\-D \fIdictionary directory\fP" -+Set main dictionary directory. Defaults to \fI/usr/share/freeradius\fP. - .IP "\-n \fImname\fP" - Read \fIraddb/name.conf\fP instead of \fIraddb/radiusd.conf\fP. - .IP \-I\ \fIipv6-address\fP -diff --git a/man/man8/radiusd.8 b/man/man8/radiusd.8 -index c825f22d0d..98aef5e1be 100644 ---- a/man/man8/radiusd.8 -+++ b/man/man8/radiusd.8 -@@ -6,6 +6,8 @@ radiusd - Authentication, Authorization and Accounting server - .RB [ \-C ] - .RB [ \-d - .IR config_directory ] -+.RB [ \-D -+.IR dictionary_directory ] - .RB [ \-f ] - .RB [ \-h ] - .RB [ \-i -@@ -17,6 +19,7 @@ radiusd - Authentication, Authorization and Accounting server - .IR name ] - .RB [ \-p - .IR port ] -+.RB [ \-P ] - .RB [ \-s ] - .RB [ \-t ] - .RB [ \-v ] -@@ -55,6 +58,8 @@ configuration, and which modules are skipped, and therefore not checked. - .IP "\-d \fIconfig directory\fP" - Defaults to \fI/etc/raddb\fP. \fBRadiusd\fP looks here for its configuration - files such as the \fIdictionary\fP and the \fIusers\fP files. -+.IP "\-D \fIdictionary directory\fP" -+Set main dictionary directory. Defaults to \fI/usr/share/freeradius\fP. - .IP \-f - Do not fork, stay running as a foreground process. - .IP \-h -@@ -84,6 +89,8 @@ When this command-line option is given, all "listen" sections in - \fIradiusd.conf\fP are ignored. - - This option MUST be used in conjunction with "-i". -+.IP "\-P -+Always write out PID, even with -f. - .IP \-s - Run in "single server" mode. The server normally runs with multiple - threads and/or processes, which can lower its response time to -diff --git a/man/man8/radmin.8 b/man/man8/radmin.8 -index 5ecc963d81..5bf661fa71 100644 ---- a/man/man8/radmin.8 -+++ b/man/man8/radmin.8 -@@ -5,6 +5,8 @@ radmin - FreeRADIUS Administration tool - .B radmin - .RB [ \-d - .IR config_directory ] -+.RB [ \-D -+.IR dictionary_directory ] - .RB [ \-e - .IR command ] - .RB [ \-E ] -@@ -34,6 +36,8 @@ The following command-line options are accepted by the program. - Defaults to \fI/etc/raddb\fP. \fBradmin\fP looks here for the server - configuration files to find the "listen" section that defines the - control socket filename. -+.IP "\-D \fIdictionary directory\fP" -+Set main dictionary directory. Defaults to \fI/usr/share/freeradius\fP. - .IP "\-e \fIcommand\fP" - Run \fIcommand\fP and exit. - .IP \-E --- -2.18.0 - diff --git a/SOURCES/freeradius-Adjust-configuration-to-fit-Red-Hat-specifics.patch b/SOURCES/freeradius-Adjust-configuration-to-fit-Red-Hat-specifics.patch index ad51053..6b2329b 100644 --- a/SOURCES/freeradius-Adjust-configuration-to-fit-Red-Hat-specifics.patch +++ b/SOURCES/freeradius-Adjust-configuration-to-fit-Red-Hat-specifics.patch @@ -12,24 +12,24 @@ diff --git a/raddb/mods-available/eap b/raddb/mods-available/eap index 2621e183c..94494b2c6 100644 --- a/raddb/mods-available/eap +++ b/raddb/mods-available/eap -@@ -472,7 +472,7 @@ eap { - # +@@ -533,7 +533,7 @@ # You should also delete all of the files # in the directory when the server starts. -- # tmpdir = /tmp/radiusd -+ # tmpdir = /var/run/radiusd/tmp + # +- # tmpdir = /tmp/radiusd ++ # tmpdir = /var/run/radiusd/tmp # The command used to verify the client cert. # We recommend using the OpenSSL command-line -@@ -486,7 +486,7 @@ eap { - # in PEM format. This file is automatically +@@ -548,7 +548,7 @@ # deleted by the server when the command # returns. -- # client = "/path/to/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}" -+ # client = "/usr/bin/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}" + # +- # client = "/path/to/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}" ++ # client = "/usr/bin/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}" } - # + # OCSP Configuration diff --git a/raddb/radiusd.conf.in b/raddb/radiusd.conf.in index a83c1f687..e500cf97b 100644 --- a/raddb/radiusd.conf.in diff --git a/SOURCES/freeradius-EAP-PWD-curve-handling.patch b/SOURCES/freeradius-EAP-PWD-curve-handling.patch deleted file mode 100644 index 3b24a48..0000000 --- a/SOURCES/freeradius-EAP-PWD-curve-handling.patch +++ /dev/null @@ -1,45 +0,0 @@ -diff --git a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c -index 7f91e4b230..848ca2055e 100644 ---- a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c -+++ b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c -@@ -373,11 +373,26 @@ int process_peer_commit (pwd_session_t *session, uint8_t *in, size_t in_len, BN_ - data_len = BN_num_bytes(session->order); - BN_bin2bn(ptr, data_len, session->peer_scalar); - -+ /* validate received scalar */ -+ if (BN_is_zero(session->peer_scalar) || -+ BN_is_one(session->peer_scalar) || -+ BN_cmp(session->peer_scalar, session->order) >= 0) { -+ ERROR("Peer's scalar is not within the allowed range"); -+ goto finish; -+ } -+ - if (!EC_POINT_set_affine_coordinates_GFp(session->group, session->peer_element, x, y, bnctx)) { - DEBUG2("pwd: unable to get coordinates of peer's element"); - goto finish; - } - -+ /* validate received element */ -+ if (!EC_POINT_is_on_curve(session->group, session->peer_element, bnctx) || -+ EC_POINT_is_at_infinity(session->group, session->peer_element)) { -+ ERROR("Peer's element is not a point on the elliptic curve"); -+ goto finish; -+ } -+ - /* check to ensure peer's element is not in a small sub-group */ - if (BN_cmp(cofactor, BN_value_one())) { - if (!EC_POINT_mul(session->group, point, NULL, session->peer_element, cofactor, NULL)) { -@@ -391,6 +406,13 @@ int process_peer_commit (pwd_session_t *session, uint8_t *in, size_t in_len, BN_ - } - } - -+ /* detect reflection attacks */ -+ if (BN_cmp(session->peer_scalar, session->my_scalar) == 0 || -+ EC_POINT_cmp(session->group, session->peer_element, session->my_element, bnctx) == 0) { -+ ERROR("Reflection attack detected"); -+ goto finish; -+ } -+ - /* compute the shared key, k */ - if ((!EC_POINT_mul(session->group, K, NULL, session->pwe, session->peer_scalar, bnctx)) || - (!EC_POINT_add(session->group, K, K, session->peer_element, bnctx)) || diff --git a/SOURCES/freeradius-EAP-PWD-information-leak-10-iterations.patch b/SOURCES/freeradius-EAP-PWD-information-leak-10-iterations.patch deleted file mode 100644 index 0d727f4..0000000 --- a/SOURCES/freeradius-EAP-PWD-information-leak-10-iterations.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 3ea2a5a026e73d81cd9a3e9bbd4300c433004bfa Mon Sep 17 00:00:00 2001 -From: Mathy Vanhoef -Date: Wed, 5 Jun 2019 19:21:06 +0000 -Subject: [PATCH] EAP-pwd: fix side-channel leak where 1 in 2018 handshakes - fail - -Previously the Hunting and Pecking algorithm of EAP-pwd aborted when -more than 10 iterations are needed. Every iteration has a 50% chance -of finding the password element. This means one in every 2048 handshakes -will fail, in which case an error frame is sent to the client. This -event leaks information that can be abused in an offline password -brute-force attack. More precisely, the adversary learns that all 10 -iterations failed for the given random EAP-pwd token. Using the same -techniques as in the Dragonblood attack, this can be used to brute-force -the password. - -This patch fixes the above issue by executing enough iterations such that -the password element is always found eventually. - -Note that timing and cache leaks remain a risk against the current -implementation of EAP-pwd. ---- - src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c -index c54f08c030..d94851c3aa 100644 ---- a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c -+++ b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c -@@ -192,7 +192,7 @@ int compute_password_element (pwd_session_t *session, uint16_t grp_num, - } - ctr = 0; - while (1) { -- if (ctr > 10) { -+ if (ctr > 100) { - DEBUG("unable to find random point on curve for group %d, something's fishy", grp_num); - goto fail; - } diff --git a/SOURCES/freeradius-OpenSSL-HMAC-MD5.patch b/SOURCES/freeradius-OpenSSL-HMAC-MD5.patch deleted file mode 100644 index 1e54c55..0000000 --- a/SOURCES/freeradius-OpenSSL-HMAC-MD5.patch +++ /dev/null @@ -1,68 +0,0 @@ -From b93796b1890b35a0922bfba9cd08e8a1a5f956cf Mon Sep 17 00:00:00 2001 -From: Alexander Scheel -Date: Fri, 28 Sep 2018 09:54:46 -0400 -Subject: [PATCH 1/2] Replace HMAC-MD5 implementation with OpenSSL's - -If OpenSSL EVP is not found, fallback to internal implementation of -HMAC-MD5. - -Signed-off-by: Alexander Scheel ---- - src/lib/hmacmd5.c | 34 +++++++++++++++++++++++++++++++++- - 1 file changed, 33 insertions(+), 1 deletion(-) - -diff --git a/src/lib/hmacmd5.c b/src/lib/hmacmd5.c -index 2c662ff368..1cca00fa2a 100644 ---- a/src/lib/hmacmd5.c -+++ b/src/lib/hmacmd5.c -@@ -27,10 +27,41 @@ - - RCSID("$Id: 2c662ff368e46556edd2cfdf408bd0fca0ab5f18 $") - -+#ifdef HAVE_OPENSSL_EVP_H -+#include -+#include -+#endif -+ - #include - #include - --/** Calculate HMAC using MD5 -+#ifdef HAVE_OPENSSL_EVP_H -+/** Calculate HMAC using OpenSSL's MD5 implementation -+ * -+ * @param digest Caller digest to be filled in. -+ * @param text Pointer to data stream. -+ * @param text_len length of data stream. -+ * @param key Pointer to authentication key. -+ * @param key_len Length of authentication key. -+ * -+ */ -+void fr_hmac_md5(uint8_t digest[MD5_DIGEST_LENGTH], uint8_t const *text, size_t text_len, -+ uint8_t const *key, size_t key_len) -+{ -+ HMAC_CTX *ctx = HMAC_CTX_new(); -+ -+#ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW -+ /* Since MD5 is not allowed by FIPS, explicitly allow it. */ -+ HMAC_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); -+#endif /* EVP_MD_CTX_FLAG_NON_FIPS_ALLOW */ -+ -+ HMAC_Init_ex(ctx, key, key_len, EVP_md5(), NULL); -+ HMAC_Update(ctx, text, text_len); -+ HMAC_Final(ctx, digest, NULL); -+ HMAC_CTX_free(ctx); -+} -+#else -+/** Calculate HMAC using internal MD5 implementation - * - * @param digest Caller digest to be filled in. - * @param text Pointer to data stream. -@@ -101,6 +132,7 @@ - * hash */ - fr_md5_final(digest, &context); /* finish up 2nd pass */ - } -+#endif /* HAVE_OPENSSL_EVP_H */ - - /* - Test Vectors (Trailing '\0' of a character string not included in test): diff --git a/SOURCES/freeradius-OpenSSL-HMAC-SHA1.patch b/SOURCES/freeradius-OpenSSL-HMAC-SHA1.patch deleted file mode 100644 index 6c60951..0000000 --- a/SOURCES/freeradius-OpenSSL-HMAC-SHA1.patch +++ /dev/null @@ -1,73 +0,0 @@ -From 91f663ce1b46ecd99399023ad539f158419272e7 Mon Sep 17 00:00:00 2001 -From: Alexander Scheel -Date: Fri, 28 Sep 2018 11:03:52 -0400 -Subject: [PATCH 2/2] Replace HMAC-SHA1 implementation with OpenSSL's - -If OpenSSL EVP is not found, fallback to internal implementation of -HMAC-SHA1. - -Signed-off-by: Alexander Scheel ---- - src/lib/hmacsha1.c | 29 ++++++++++++++++++++++++++++- - 1 file changed, 28 insertions(+), 1 deletion(-) - -diff --git a/src/lib/hmacsha1.c b/src/lib/hmacsha1.c -index c3cbd87a2c..211470ea35 100644 ---- a/src/lib/hmacsha1.c -+++ b/src/lib/hmacsha1.c -@@ -10,13 +10,19 @@ - - RCSID("$Id: c3cbd87a2c13c47da93fdb1bdfbf6da4c22aaac5 $") - -+#ifdef HAVE_OPENSSL_EVP_H -+#include -+#include -+#endif -+ - #include - - #ifdef HMAC_SHA1_DATA_PROBLEMS - unsigned int sha1_data_problems = 0; - #endif - --/** Calculate HMAC using SHA1 -+#ifdef HAVE_OPENSSL_EVP_H -+/** Calculate HMAC using OpenSSL's SHA1 implementation - * - * @param digest Caller digest to be filled in. - * @param text Pointer to data stream. -@@ -28,6 +34,26 @@ - void fr_hmac_sha1(uint8_t digest[SHA1_DIGEST_LENGTH], uint8_t const *text, size_t text_len, - uint8_t const *key, size_t key_len) - { -+ HMAC_CTX *ctx = HMAC_CTX_new(); -+ HMAC_Init_ex(ctx, key, key_len, EVP_sha1(), NULL); -+ HMAC_Update(ctx, text, text_len); -+ HMAC_Final(ctx, digest, NULL); -+ HMAC_CTX_free(ctx); -+} -+ -+#else -+ -+/** Calculate HMAC using internal SHA1 implementation -+ * -+ * @param digest Caller digest to be filled in. -+ * @param text Pointer to data stream. -+ * @param text_len length of data stream. -+ * @param key Pointer to authentication key. -+ * @param key_len Length of authentication key. -+ */ -+void fr_hmac_sha1(uint8_t digest[SHA1_DIGEST_LENGTH], uint8_t const *text, size_t text_len, -+ uint8_t const *key, size_t key_len) -+{ - fr_sha1_ctx context; - uint8_t k_ipad[65]; /* inner padding - key XORd with ipad */ - uint8_t k_opad[65]; /* outer padding - key XORd with opad */ -@@ -142,6 +168,7 @@ - } - #endif - } -+#endif /* HAVE_OPENSSL_EVP_H */ - - /* - Test Vectors (Trailing '\0' of a character string not included in test): diff --git a/SOURCES/freeradius-Use-system-crypto-policy-by-default.patch b/SOURCES/freeradius-Use-system-crypto-policy-by-default.patch index 1664186..199e583 100644 --- a/SOURCES/freeradius-Use-system-crypto-policy-by-default.patch +++ b/SOURCES/freeradius-Use-system-crypto-policy-by-default.patch @@ -1,33 +1,43 @@ -From d78bf5ab1f5c8102b2b6051cfb1198488be9597d Mon Sep 17 00:00:00 2001 -From: Nikolai Kondrashov -Date: Mon, 26 Sep 2016 19:48:36 +0300 -Subject: [PATCH] Use system crypto policy by default +From a7ed62fbcc043a9ec7a4f09962a2cd2acffa019b Mon Sep 17 00:00:00 2001 +From: Alexander Scheel +Date: Wed, 8 May 2019 10:16:31 -0400 +Subject: [PATCH] Use system-provided crypto-policies by default +Signed-off-by: Alexander Scheel --- - raddb/mods-available/eap | 2 +- + raddb/mods-available/eap | 4 ++-- raddb/mods-available/inner-eap | 2 +- raddb/sites-available/abfab-tls | 2 +- raddb/sites-available/tls | 4 ++-- - 4 files changed, 5 insertions(+), 5 deletions(-) + 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/raddb/mods-available/eap b/raddb/mods-available/eap -index 94494b2c6..9a8dc9327 100644 +index 36849e10f2..b28c0f19c6 100644 --- a/raddb/mods-available/eap +++ b/raddb/mods-available/eap -@@ -323,7 +323,7 @@ eap { +@@ -368,7 +368,7 @@ eap { # - # For EAP-FAST, use "ALL:!EXPORT:!eNULL:!SSLv2" + # For EAP-FAST, use "ALL:!EXPORT:!eNULL:!SSLv2" # - cipher_list = "DEFAULT" + cipher_list = "PROFILE=SYSTEM" - # If enabled, OpenSSL will use server cipher list - # (possibly defined by cipher_list option above) + # If enabled, OpenSSL will use server cipher list + # (possibly defined by cipher_list option above) +@@ -912,7 +912,7 @@ eap { + # Note - for OpenSSL 1.1.0 and above you may need + # to add ":@SECLEVEL=0" + # +- # cipher_list = "ALL:!EXPORT:!eNULL:!SSLv2" ++ # cipher_list = "PROFILE=SYSTEM" + + # PAC lifetime in seconds (default: seven days) + # diff --git a/raddb/mods-available/inner-eap b/raddb/mods-available/inner-eap -index 2b4df6267..af9aa88cd 100644 +index 576eb7739e..ffa07188e2 100644 --- a/raddb/mods-available/inner-eap +++ b/raddb/mods-available/inner-eap -@@ -68,7 +68,7 @@ eap inner-eap { +@@ -77,7 +77,7 @@ eap inner-eap { # certificates. If so, edit this file. ca_file = ${cadir}/ca.pem @@ -37,7 +47,7 @@ index 2b4df6267..af9aa88cd 100644 # You may want to set a very small fragment size. # The TLS data here needs to go inside of the diff --git a/raddb/sites-available/abfab-tls b/raddb/sites-available/abfab-tls -index 5dbe143da..46b5fea78 100644 +index 92f1d6330e..cd69b3905a 100644 --- a/raddb/sites-available/abfab-tls +++ b/raddb/sites-available/abfab-tls @@ -19,7 +19,7 @@ listen { @@ -50,10 +60,10 @@ index 5dbe143da..46b5fea78 100644 cache { enable = no diff --git a/raddb/sites-available/tls b/raddb/sites-available/tls -index cf1cd7a8a..7dd59cb6f 100644 +index bbc761b1c5..83cd35b851 100644 --- a/raddb/sites-available/tls +++ b/raddb/sites-available/tls -@@ -197,7 +197,7 @@ listen { +@@ -215,7 +215,7 @@ listen { # Set this option to specify the allowed # TLS cipher suites. The format is listed # in "man 1 ciphers". @@ -62,7 +72,7 @@ index cf1cd7a8a..7dd59cb6f 100644 # If enabled, OpenSSL will use server cipher list # (possibly defined by cipher_list option above) -@@ -499,7 +499,7 @@ home_server tls { +@@ -517,7 +517,7 @@ home_server tls { # Set this option to specify the allowed # TLS cipher suites. The format is listed # in "man 1 ciphers". @@ -72,5 +82,5 @@ index cf1cd7a8a..7dd59cb6f 100644 } -- -2.13.2 +2.21.0 diff --git a/SOURCES/freeradius-bootstrap-create-only.patch b/SOURCES/freeradius-bootstrap-create-only.patch new file mode 100644 index 0000000..5b788d9 --- /dev/null +++ b/SOURCES/freeradius-bootstrap-create-only.patch @@ -0,0 +1,91 @@ +From 3f40655ad0708b74a4a41b13c2b21995b157c14d Mon Sep 17 00:00:00 2001 +From: Alexander Scheel +Date: Wed, 5 Aug 2020 15:53:45 -0400 +Subject: [PATCH] Don't clobber existing files on bootstrap + +Rebased: v3.0.20 + +Signed-off-by: Alexander Scheel +--- + raddb/certs/bootstrap | 35 +++++++++++++++++++---------------- + 1 file changed, 19 insertions(+), 16 deletions(-) + +diff --git a/raddb/certs/bootstrap b/raddb/certs/bootstrap +index 0f719aa..336a2bd 100755 +--- a/raddb/certs/bootstrap ++++ b/raddb/certs/bootstrap +@@ -31,52 +31,55 @@ fi + # Don't edit the following text. Instead, edit the Makefile, and + # re-generate these commands. + # +-if [ ! -f dh ]; then ++if [ ! -e dh ]; then + openssl dhparam -out dh 2048 || exit 1 +- if [ -e /dev/urandom ] ; then +- ln -sf /dev/urandom random +- else +- date > ./random; +- fi ++ ln -sf /dev/urandom random + fi + +-if [ ! -f server.key ]; then ++if [ ! -e server.key ]; then + openssl req -new -out server.csr -keyout server.key -config ./server.cnf || exit 1 ++ chmod g+r server.key + fi + +-if [ ! -f ca.key ]; then ++if [ ! -e ca.key ]; then + openssl req -new -x509 -keyout ca.key -out ca.pem -days `grep default_days ca.cnf | sed 's/.*=//;s/^ *//'` -config ./ca.cnf || exit 1 + fi + +-if [ ! -f index.txt ]; then ++if [ ! -e index.txt ]; then + touch index.txt + fi + +-if [ ! -f serial ]; then ++if [ ! -e serial ]; then + echo '01' > serial + fi + +-if [ ! -f server.crt ]; then ++if [ ! -e server.crt ]; then + openssl ca -batch -keyfile ca.key -cert ca.pem -in server.csr -key `grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out server.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf || exit 1 + fi + +-if [ ! -f server.p12 ]; then ++if [ ! -e server.p12 ]; then + openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` || exit 1 ++ chmod g+r server.p12 + fi + +-if [ ! -f server.pem ]; then ++if [ ! -e server.pem ]; then + openssl pkcs12 -in server.p12 -out server.pem -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` || exit 1 + openssl verify -CAfile ca.pem server.pem || exit 1 ++ chmod g+r server.pem + fi + +-if [ ! -f ca.der ]; then ++if [ ! -e ca.der ]; then + openssl x509 -inform PEM -outform DER -in ca.pem -out ca.der || exit 1 + fi + +-if [ ! -f client.key ]; then ++if [ ! -e client.key ]; then + openssl req -new -out client.csr -keyout client.key -config ./client.cnf ++ chmod g+r client.key + fi + +-if [ ! -f client.crt ]; then ++if [ ! -e client.crt ]; then + openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key `grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf + fi ++ ++chown root:radiusd dh ca.* client.* server.* ++chmod 640 dh ca.* client.* server.* +-- +2.26.2 + diff --git a/SOURCES/freeradius-bootstrap-fixed-dhparam.patch b/SOURCES/freeradius-bootstrap-fixed-dhparam.patch new file mode 100644 index 0000000..6121f4b --- /dev/null +++ b/SOURCES/freeradius-bootstrap-fixed-dhparam.patch @@ -0,0 +1,52 @@ +From b31f1ab9a0e1c010037d2d660e3ce4ea7eb07d6c Mon Sep 17 00:00:00 2001 +From: Alexander Scheel +Date: Wed, 5 Aug 2020 16:10:52 -0400 +Subject: [PATCH] Use fixed FIPS-approved dhparam by default + +Signed-off-by: Alexander Scheel +--- + raddb/certs/Makefile | 2 +- + raddb/certs/bootstrap | 7 +++++-- + 2 files changed, 6 insertions(+), 3 deletions(-) + +diff --git a/raddb/certs/Makefile b/raddb/certs/Makefile +index 5cbfd46..41b7aea 100644 +--- a/raddb/certs/Makefile ++++ b/raddb/certs/Makefile +@@ -59,7 +59,7 @@ passwords.mk: server.cnf ca.cnf client.cnf inner-server.cnf + # + ###################################################################### + dh: +- $(OPENSSL) dhparam -out dh -2 $(DH_KEY_SIZE) ++ cp rfc3526-group-18-8192.dhparam dh + + ###################################################################### + # +diff --git a/raddb/certs/bootstrap b/raddb/certs/bootstrap +index 9920ecf..59b3310 100755 +--- a/raddb/certs/bootstrap ++++ b/raddb/certs/bootstrap +@@ -13,6 +13,10 @@ + umask 027 + cd `dirname $0` + ++if [ ! -e random ]; then ++ ln -sf /dev/urandom random ++fi ++ + make -h > /dev/null 2>&1 + + # +@@ -35,8 +39,7 @@ fi + # re-generate these commands. + # + if [ ! -e dh ]; then +- openssl dhparam -out dh 2048 || exit 1 +- ln -sf /dev/urandom random ++ cp rfc3526-group-18-8192.dhparam dh + fi + + if [ ! -e server.key ]; then +-- +2.26.2 + diff --git a/SOURCES/freeradius-bootstrap-make-permissions.patch b/SOURCES/freeradius-bootstrap-make-permissions.patch new file mode 100644 index 0000000..3548fa6 --- /dev/null +++ b/SOURCES/freeradius-bootstrap-make-permissions.patch @@ -0,0 +1,29 @@ +From ea164ceafa05f96079204a3f0ae379e46e64a455 Mon Sep 17 00:00:00 2001 +From: Alexander Scheel +Date: Tue, 4 Aug 2020 10:08:15 -0400 +Subject: [PATCH] Fix permissions after generating certificates with make + +Signed-off-by: Alexander Scheel +--- + raddb/certs/bootstrap | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/raddb/certs/bootstrap b/raddb/certs/bootstrap +index 336a2bd..9920ecf 100755 +--- a/raddb/certs/bootstrap ++++ b/raddb/certs/bootstrap +@@ -21,7 +21,10 @@ make -h > /dev/null 2>&1 + # + if [ "$?" = "0" ]; then + make all +- exit $? ++ ret=$? ++ chown root:radiusd dh ca.* client.* server.* ++ chmod 640 dh ca.* client.* server.* ++ exit $ret + fi + + # +-- +2.26.2 + diff --git a/SOURCES/freeradius-fixes-to-python3-module-since-v3.0.20.patch b/SOURCES/freeradius-fixes-to-python3-module-since-v3.0.20.patch new file mode 100644 index 0000000..fb96df2 --- /dev/null +++ b/SOURCES/freeradius-fixes-to-python3-module-since-v3.0.20.patch @@ -0,0 +1,1955 @@ +From 322f3b0d94f32e01e2db0c76fd38409eddf392ce Mon Sep 17 00:00:00 2001 +From: Jorge Pereira +Date: Thu, 5 Dec 2019 16:02:18 -0300 +Subject: [PATCH] Fix rlm_python3 build + +Just backporting from the master branch. + +Backport from rlm_python (#3184) changes to rlm_python3 + +Brief: + +We should append the 'python_path' to sys.path #3180 + +we should append 'python_path' paths in 'sys.path', due to PySys_SetPath() +reset the entire python path causing problems to use the existing libraries + +Remove unnecessary src/modules/rlm_python3/radiusd_test.py + +Don't call if 'instantiate' and 'detach' are not declared. + +It's related to the discussion in #3185. + +Fix missing destroy for some statements + +Fix Py_SetProgramName() use (#3196) + +As the documentation says, the use of Py_SetProgramName() with wchar_t* +should be only from Python >= 3.5.x + +References: + +Python <= 3.4.x https://docs.python.org/3.4/extending/embedding.html#very-high-level-embedding +Python >= 3.5.x https://docs.python.org/3.5/extending/embedding.html#very-high-level-embedding + +Add missing 'ifdef WITH_PROXY' checks (#3198) + +Clean up (#3197) + +don't try and build rlm_python3 if we can't configure it + +Just call Py_DECREF() (#3199) + +Fix libpython3 cross platform load (#3284) + +Python3 fixes (#3350) + +* python3-config for Python 3.8 requires --embed parameter + +As described in https://bugs.python.org/issue36721, python3-config now +requires --embed for embedded interpreters. Otherwise, -lpython3.8 is +not included in ldflags + +* Python 3.8 has removed the "m" suffix in the library name + +As discussed in: https://bugs.python.org/issue36707 + +* Use dl_iterate_phdr to find the appropriate python library + +Otherwise, installation of the libpython3-dev packages is required +in most distributions + +* Update configure file for rlm_python3 + +* Use AX_COMPARE_VERSION to check Python version + +Keep the module directory in python_path +--- + raddb/mods-available/python | 2 +- + raddb/mods-available/python3 | 2 +- + src/include/conf.h | 8 + + src/main/modules.c | 8 - + src/modules/rlm_python3/configure | 1008 ++++++++--------------- + src/modules/rlm_python3/configure.ac | 163 ++-- + src/modules/rlm_python3/radiusd_test.py | 63 -- + src/modules/rlm_python3/rlm_python3.c | 188 ++--- + 8 files changed, 516 insertions(+), 926 deletions(-) + delete mode 100644 src/modules/rlm_python3/radiusd_test.py + +diff --git a/raddb/mods-available/python b/raddb/mods-available/python +index bd172dca05..c19ddcd87e 100644 +--- a/raddb/mods-available/python ++++ b/raddb/mods-available/python +@@ -13,7 +13,7 @@ python { + # item is GLOBAL TO THE SERVER. That is, you cannot have two + # instances of the python module, each with a different path. + # +-# python_path="/path/to/python/files:/another_path/to/python_files/" ++# python_path="${modconfdir}/${.:name}:/path/to/python/files:/another_path/to/python_files/" + + module = example + +diff --git a/raddb/mods-available/python3 b/raddb/mods-available/python3 +index 246dfd74ce..0593c69f1a 100644 +--- a/raddb/mods-available/python3 ++++ b/raddb/mods-available/python3 +@@ -13,7 +13,7 @@ python3 { + # item is GLOBAL TO THE SERVER. That is, you cannot have two + # instances of the python module, each with a different path. + # +-# python_path="/path/to/python/files:/another_path/to/python_files/" ++# python_path="${modconfdir}/${.:name}:/another_path/to/python_files" + + module = example + +diff --git a/src/include/conf.h b/src/include/conf.h +index 758a332b6e..95005d545f 100644 +--- a/src/include/conf.h ++++ b/src/include/conf.h +@@ -13,3 +13,11 @@ + #define SRADUTMP LOGDIR "/sradutmp" + #define RADWTMP LOGDIR "/radwtmp" + #define SRADWTMP LOGDIR "/sradwtmp" ++ ++#ifdef __APPLE__ ++# define LT_SHREXT ".dylib" ++#elif defined (WIN32) ++# define LT_SHREXT ".dll" ++#else ++# define LT_SHREXT ".so" ++#endif +diff --git a/src/main/modules.c b/src/main/modules.c +index 319879c870..c05aa5bf67 100644 +--- a/src/main/modules.c ++++ b/src/main/modules.c +@@ -95,14 +95,6 @@ const section_type_value_t section_type_value[MOD_COUNT] = { + #define RTLD_LOCAL (0) + #endif + +-#ifdef __APPLE__ +-# define LT_SHREXT ".dylib" +-#elif defined (WIN32) +-# define LT_SHREXT ".dll" +-#else +-# define LT_SHREXT ".so" +-#endif +- + /** Check if the magic number in the module matches the one in the library + * + * This is used to detect potential ABI issues caused by running with modules which +diff --git a/src/modules/rlm_python3/configure b/src/modules/rlm_python3/configure +index ff89a16149..05907f12c3 100755 +--- a/src/modules/rlm_python3/configure ++++ b/src/modules/rlm_python3/configure +@@ -588,7 +588,17 @@ LIBOBJS + targetname + mod_cflags + mod_ldflags +-PYTHON3_BIN ++AWK ++PYTHON3_CONFIG_BIN ++pkgpyexecdir ++pyexecdir ++pkgpythondir ++pythondir ++PYTHON_PLATFORM ++PYTHON_EXEC_PREFIX ++PYTHON_PREFIX ++PYTHON_VERSION ++PYTHON + CPP + OBJEXT + EXEEXT +@@ -638,9 +648,7 @@ SHELL' + ac_subst_files='' + ac_user_opts=' + enable_option_checking +-with_rlm_python3_bin +-with_rlm_python3_lib_dir +-with_rlm_python3_include_dir ++with_rlm_python3_config_bin + ' + ac_precious_vars='build_alias + host_alias +@@ -650,7 +658,8 @@ CFLAGS + LDFLAGS + LIBS + CPPFLAGS +-CPP' ++CPP ++PYTHON' + + + # Initialize some variables set by options. +@@ -1257,9 +1266,7 @@ if test -n "$ac_init_help"; then + Optional Packages: + --with-PACKAGE[=ARG] use PACKAGE [ARG=yes] + --without-PACKAGE do not use PACKAGE (same as --with-PACKAGE=no) +- --with-rlm-python3-bin=PATH Path to python3 binary +- --with-rlm-python3-lib-dir=DIR Directory for Python library files +- --with-rlm-python3-include-dir=DIR Directory for Python include files ++ --with-rlm-python3-config-bin=PATH Path to python-config3 binary + + Some influential environment variables: + CC C compiler command +@@ -1270,6 +1277,7 @@ Some influential environment variables: + CPPFLAGS (Objective) C/C++ preprocessor flags, e.g. -I if + you have headers in a nonstandard directory + CPP C preprocessor ++ PYTHON the Python interpreter + + Use these variables to override the choices made by `configure' or to help + it to find libraries and programs with nonstandard names/locations. +@@ -2822,46 +2830,92 @@ ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $ + ac_compiler_gnu=$ac_cv_c_compiler_gnu + + +- PYTHON3_BIN= + +-# Check whether --with-rlm-python3-bin was given. +-if test "${with_rlm_python3_bin+set}" = set; then : +- withval=$with_rlm_python3_bin; case "$withval" in +- no) +- as_fn_error $? "Need rlm-python3-bin" "$LINENO" 5 +- ;; +- yes) +- ;; +- *) +- PYTHON3_BIN="$withval" +- ;; +- esac + +-fi + + +- if test "x$PYTHON3_BIN" = x; then +- for ac_prog in python3 +-do +- # Extract the first word of "$ac_prog", so it can be a program name with args. +-set dummy $ac_prog; ac_word=$2 ++ ++ if test -n "$PYTHON"; then ++ # If the user set $PYTHON, use it and don't search something else. ++ { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $PYTHON version is >= 3.0" >&5 ++$as_echo_n "checking whether $PYTHON version is >= 3.0... " >&6; } ++ prog="import sys ++# split strings by '.' and convert to numeric. Append some zeros ++# because we need at least 4 digits for the hex conversion. ++# map returns an iterator in Python 3.0 and a list in 2.x ++minver = list(map(int, '3.0'.split('.'))) + [0, 0, 0] ++minverhex = 0 ++# xrange is not present in Python 3.0 and range returns an iterator ++for i in list(range(0, 4)): minverhex = (minverhex << 8) + minver[i] ++sys.exit(sys.hexversion < minverhex)" ++ if { echo "$as_me:$LINENO: $PYTHON -c "$prog"" >&5 ++ ($PYTHON -c "$prog") >&5 2>&5 ++ ac_status=$? ++ echo "$as_me:$LINENO: \$? = $ac_status" >&5 ++ (exit $ac_status); }; then : ++ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 ++$as_echo "yes" >&6; } ++else ++ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 ++$as_echo "no" >&6; } ++ as_fn_error $? "Python interpreter is too old" "$LINENO" 5 ++fi ++ am_display_PYTHON=$PYTHON ++ else ++ # Otherwise, try each interpreter until we find one that satisfies ++ # VERSION. ++ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for a Python interpreter with version >= 3.0" >&5 ++$as_echo_n "checking for a Python interpreter with version >= 3.0... " >&6; } ++if ${am_cv_pathless_PYTHON+:} false; then : ++ $as_echo_n "(cached) " >&6 ++else ++ ++ for am_cv_pathless_PYTHON in python python2 python3 python3.9 python3.8 python3.7 python3.6 python3.5 python3.4 python3.3 python3.2 python3.1 python3.0 python2.7 python2.6 python2.5 python2.4 python2.3 python2.2 python2.1 python2.0 none; do ++ test "$am_cv_pathless_PYTHON" = none && break ++ prog="import sys ++# split strings by '.' and convert to numeric. Append some zeros ++# because we need at least 4 digits for the hex conversion. ++# map returns an iterator in Python 3.0 and a list in 2.x ++minver = list(map(int, '3.0'.split('.'))) + [0, 0, 0] ++minverhex = 0 ++# xrange is not present in Python 3.0 and range returns an iterator ++for i in list(range(0, 4)): minverhex = (minverhex << 8) + minver[i] ++sys.exit(sys.hexversion < minverhex)" ++ if { echo "$as_me:$LINENO: $am_cv_pathless_PYTHON -c "$prog"" >&5 ++ ($am_cv_pathless_PYTHON -c "$prog") >&5 2>&5 ++ ac_status=$? ++ echo "$as_me:$LINENO: \$? = $ac_status" >&5 ++ (exit $ac_status); }; then : ++ break ++fi ++ done ++fi ++{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $am_cv_pathless_PYTHON" >&5 ++$as_echo "$am_cv_pathless_PYTHON" >&6; } ++ # Set $PYTHON to the absolute path of $am_cv_pathless_PYTHON. ++ if test "$am_cv_pathless_PYTHON" = none; then ++ PYTHON=: ++ else ++ # Extract the first word of "$am_cv_pathless_PYTHON", so it can be a program name with args. ++set dummy $am_cv_pathless_PYTHON; ac_word=$2 + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 + $as_echo_n "checking for $ac_word... " >&6; } +-if ${ac_cv_prog_PYTHON3_BIN+:} false; then : ++if ${ac_cv_path_PYTHON+:} false; then : + $as_echo_n "(cached) " >&6 + else +- if test -n "$PYTHON3_BIN"; then +- ac_cv_prog_PYTHON3_BIN="$PYTHON3_BIN" # Let the user override the test. +-else +-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +-as_dummy="${PATH}:/usr/bin:/usr/local/bin" +-for as_dir in $as_dummy ++ case $PYTHON in ++ [\\/]* | ?:[\\/]*) ++ ac_cv_path_PYTHON="$PYTHON" # Let the user override the test with a path. ++ ;; ++ *) ++ as_save_IFS=$IFS; IFS=$PATH_SEPARATOR ++for as_dir in $PATH + do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then +- ac_cv_prog_PYTHON3_BIN="$ac_prog" ++ ac_cv_path_PYTHON="$as_dir/$ac_word$ac_exec_ext" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +@@ -2869,708 +2923,358 @@ done + done + IFS=$as_save_IFS + ++ ;; ++esac + fi +-fi +-PYTHON3_BIN=$ac_cv_prog_PYTHON3_BIN +-if test -n "$PYTHON3_BIN"; then +- { $as_echo "$as_me:${as_lineno-$LINENO}: result: $PYTHON3_BIN" >&5 +-$as_echo "$PYTHON3_BIN" >&6; } ++PYTHON=$ac_cv_path_PYTHON ++if test -n "$PYTHON"; then ++ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $PYTHON" >&5 ++$as_echo "$PYTHON" >&6; } + else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 + $as_echo "no" >&6; } + fi + + +- test -n "$PYTHON3_BIN" && break +-done +-test -n "$PYTHON3_BIN" || PYTHON3_BIN="not-found" +- +- fi +- +- if test "x$PYTHON3_BIN" = "xnot-found"; then +- fail="python-binary" +- fi +- +- PY_LIB_DIR= +- +-# Check whether --with-rlm-python3-lib-dir was given. +-if test "${with_rlm_python3_lib_dir+set}" = set; then : +- withval=$with_rlm_python3_lib_dir; case "$withval" in +- no) +- as_fn_error $? "Need rlm-python3-lib-dir" "$LINENO" 5 +- ;; +- yes) +- ;; +- *) +- PY_LIB_DIR="$withval" +- ;; +- esac +- +-fi ++ fi ++ am_display_PYTHON=$am_cv_pathless_PYTHON ++ fi + + +- PY_INC_DIR= ++ if test "$PYTHON" = :; then ++ : ++ else + +-# Check whether --with-rlm-python3-include-dir was given. +-if test "${with_rlm_python3_include_dir+set}" = set; then : +- withval=$with_rlm_python3_include_dir; case "$withval" in +- no) +- as_fn_error $? "Need rlm-python3-include-dir" "$LINENO" 5 +- ;; +- yes) +- ;; +- *) +- PY_INC_DIR="$withval" +- ;; +- esac + ++ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $am_display_PYTHON version" >&5 ++$as_echo_n "checking for $am_display_PYTHON version... " >&6; } ++if ${am_cv_python_version+:} false; then : ++ $as_echo_n "(cached) " >&6 ++else ++ am_cv_python_version=`$PYTHON -c "import sys; sys.stdout.write(sys.version[:3])"` + fi ++{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $am_cv_python_version" >&5 ++$as_echo "$am_cv_python_version" >&6; } ++ PYTHON_VERSION=$am_cv_python_version + + +- if test x$fail = x; then +- PY_PREFIX=`${PYTHON3_BIN} -c 'import sys ; print(sys.prefix)'` +- { $as_echo "$as_me:${as_lineno-$LINENO}: Python sys.prefix \"${PY_PREFIX}\"" >&5 +-$as_echo "$as_me: Python sys.prefix \"${PY_PREFIX}\"" >&6;} +- +- PY_EXEC_PREFIX=`${PYTHON3_BIN} -c 'import sys ; print(sys.exec_prefix)'` +- { $as_echo "$as_me:${as_lineno-$LINENO}: Python sys.exec_prefix \"${PY_EXEC_PREFIX}\"" >&5 +-$as_echo "$as_me: Python sys.exec_prefix \"${PY_EXEC_PREFIX}\"" >&6;} +- +- PY_SYS_VERSION=`${PYTHON3_BIN} -c 'import sys ; print(sys.version[0:3])'` +- { $as_echo "$as_me:${as_lineno-$LINENO}: Python sys.version \"${PY_SYS_VERSION}\"" >&5 +-$as_echo "$as_me: Python sys.version \"${PY_SYS_VERSION}\"" >&6;} +- +- if test "x$PY_LIB_DIR" = "x"; then +- PY_LIB_DIR="$PY_EXEC_PREFIX/lib/python${PY_SYS_VERSION}/config" +- PY_LIB_LOC="-L$PY_EXEC_PREFIX/lib/python${PY_SYS_VERSION}/config" +- fi +- +- PY_MAKEFILE="$PY_EXEC_PREFIX/lib/python${PY_SYS_VERSION}/config/Makefile" +- if test -f ${PY_MAKEFILE}; then +- PY_LOCAL_MOD_LIBS=`sed -n -e 's/^LOCALMODLIBS=\(.*\)/\1/p' $PY_MAKEFILE | sed -e 's/[[:blank:]]/ /g;s/^ *//;s/ *$//'` +- { $as_echo "$as_me:${as_lineno-$LINENO}: Python local_mod_libs \"${PY_LOCAL_MOD_LIBS}\"" >&5 +-$as_echo "$as_me: Python local_mod_libs \"${PY_LOCAL_MOD_LIBS}\"" >&6;} +- +- PY_BASE_MOD_LIBS=`sed -n -e 's/^BASEMODLIBS=\(.*\)/\1/p' $PY_MAKEFILE | sed -e 's/[[:blank:]]/ /g;s/^ *//;s/ *$//'` +- { $as_echo "$as_me:${as_lineno-$LINENO}: Python base_mod_libs \"${PY_BASE_MOD_LIBS}\"" >&5 +-$as_echo "$as_me: Python base_mod_libs \"${PY_BASE_MOD_LIBS}\"" >&6;} +- +- PY_OTHER_LIBS=`sed -n -e 's/^LIBS=\(.*\)/\1/p' $PY_MAKEFILE | sed -e 's/[[:blank:]]/ /g;s/ / /g;s/^ *//;s/ *$//'` +- PY_OTHER_LDFLAGS=`sed -n -e 's/^LINKFORSHARED=\(.*\)/\1/p' $PY_MAKEFILE | sed -e 's/[[:blank:]]/ /g;s/ / /g;s/^ *//;s/ *$//'` +- { $as_echo "$as_me:${as_lineno-$LINENO}: Python other_libs \"${PY_OTHER_LDFLAGS} ${PY_OTHER_LIBS}\"" >&5 +-$as_echo "$as_me: Python other_libs \"${PY_OTHER_LDFLAGS} ${PY_OTHER_LIBS}\"" >&6;} +- fi +- PY_EXTRA_LIBS="$PY_LOCALMODLIBS $PY_BASE_MOD_LIBS $PY_OTHER_LIBS" +- +- old_CFLAGS=$CFLAGS +- CFLAGS="$CFLAGS $PY_CFLAGS" +- smart_try_dir="$PY_PREFIX/include/python$PY_SYS_VERSION" +- + ++ PYTHON_PREFIX='${prefix}' + +-ac_safe=`echo "Python.h" | sed 'y%./+-%__pm%'` +-old_CPPFLAGS="$CPPFLAGS" +-smart_include= +-smart_include_dir="/usr/local/include /opt/include" ++ PYTHON_EXEC_PREFIX='${exec_prefix}' + +-_smart_try_dir= +-_smart_include_dir= + +-for _prefix in $smart_prefix ""; do +- for _dir in $smart_try_dir; do +- _smart_try_dir="${_smart_try_dir} ${_dir}/${_prefix}" +- done +- +- for _dir in $smart_include_dir; do +- _smart_include_dir="${_smart_include_dir} ${_dir}/${_prefix}" +- done +-done +- +-if test "x$_smart_try_dir" != "x"; then +- for try in $_smart_try_dir; do +- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for Python.h in $try" >&5 +-$as_echo_n "checking for Python.h in $try... " >&6; } +- CPPFLAGS="-isystem $try $old_CPPFLAGS" +- cat confdefs.h - <<_ACEOF >conftest.$ac_ext +-/* end confdefs.h. */ +- +- #include +-int +-main () +-{ +-int a = 1; +- ; +- return 0; +-} +-_ACEOF +-if ac_fn_c_try_compile "$LINENO"; then : +- +- smart_include="-isystem $try" +- { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +-$as_echo "yes" >&6; } +- break + ++ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $am_display_PYTHON platform" >&5 ++$as_echo_n "checking for $am_display_PYTHON platform... " >&6; } ++if ${am_cv_python_platform+:} false; then : ++ $as_echo_n "(cached) " >&6 + else +- +- smart_include= +- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +-$as_echo "no" >&6; } +- +-fi +-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +- done +- CPPFLAGS="$old_CPPFLAGS" +-fi +- +-if test "x$smart_include" = "x"; then +- for _prefix in $smart_prefix; do +- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for ${_prefix}/Python.h" >&5 +-$as_echo_n "checking for ${_prefix}/Python.h... " >&6; } +- +- cat confdefs.h - <<_ACEOF >conftest.$ac_ext +-/* end confdefs.h. */ +- +- #include +-int +-main () +-{ +-int a = 1; +- ; +- return 0; +-} +-_ACEOF +-if ac_fn_c_try_compile "$LINENO"; then : +- +- smart_include="-isystem ${_prefix}/" +- { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +-$as_echo "yes" >&6; } +- break +- ++ am_cv_python_platform=`$PYTHON -c "import sys; sys.stdout.write(sys.platform)"` ++fi ++{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $am_cv_python_platform" >&5 ++$as_echo "$am_cv_python_platform" >&6; } ++ PYTHON_PLATFORM=$am_cv_python_platform ++ ++ ++ # Just factor out some code duplication. ++ am_python_setup_sysconfig="\ ++import sys ++# Prefer sysconfig over distutils.sysconfig, for better compatibility ++# with python 3.x. See automake bug#10227. ++try: ++ import sysconfig ++except ImportError: ++ can_use_sysconfig = 0 ++else: ++ can_use_sysconfig = 1 ++# Can't use sysconfig in CPython 2.7, since it's broken in virtualenvs: ++# ++try: ++ from platform import python_implementation ++ if python_implementation() == 'CPython' and sys.version[:3] == '2.7': ++ can_use_sysconfig = 0 ++except ImportError: ++ pass" ++ ++ ++ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $am_display_PYTHON script directory" >&5 ++$as_echo_n "checking for $am_display_PYTHON script directory... " >&6; } ++if ${am_cv_python_pythondir+:} false; then : ++ $as_echo_n "(cached) " >&6 + else ++ if test "x$prefix" = xNONE ++ then ++ am_py_prefix=$ac_default_prefix ++ else ++ am_py_prefix=$prefix ++ fi ++ am_cv_python_pythondir=`$PYTHON -c " ++$am_python_setup_sysconfig ++if can_use_sysconfig: ++ sitedir = sysconfig.get_path('purelib', vars={'base':'$am_py_prefix'}) ++else: ++ from distutils import sysconfig ++ sitedir = sysconfig.get_python_lib(0, 0, prefix='$am_py_prefix') ++sys.stdout.write(sitedir)"` ++ case $am_cv_python_pythondir in ++ $am_py_prefix*) ++ am__strip_prefix=`echo "$am_py_prefix" | sed 's|.|.|g'` ++ am_cv_python_pythondir=`echo "$am_cv_python_pythondir" | sed "s,^$am__strip_prefix,$PYTHON_PREFIX,"` ++ ;; ++ *) ++ case $am_py_prefix in ++ /usr|/System*) ;; ++ *) ++ am_cv_python_pythondir=$PYTHON_PREFIX/lib/python$PYTHON_VERSION/site-packages ++ ;; ++ esac ++ ;; ++ esac + +- smart_include= +- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +-$as_echo "no" >&6; } +- +-fi +-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +- done + fi ++{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $am_cv_python_pythondir" >&5 ++$as_echo "$am_cv_python_pythondir" >&6; } ++ pythondir=$am_cv_python_pythondir + +-if test "x$smart_include" = "x"; then +- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for Python.h" >&5 +-$as_echo_n "checking for Python.h... " >&6; } + +- cat confdefs.h - <<_ACEOF >conftest.$ac_ext +-/* end confdefs.h. */ + +- #include +-int +-main () +-{ +-int a = 1; +- ; +- return 0; +-} +-_ACEOF +-if ac_fn_c_try_compile "$LINENO"; then : ++ pkgpythondir=\${pythondir}/$PACKAGE + +- smart_include=" " +- { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +-$as_echo "yes" >&6; } +- break + ++ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $am_display_PYTHON extension module directory" >&5 ++$as_echo_n "checking for $am_display_PYTHON extension module directory... " >&6; } ++if ${am_cv_python_pyexecdir+:} false; then : ++ $as_echo_n "(cached) " >&6 + else +- +- smart_include= +- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +-$as_echo "no" >&6; } ++ if test "x$exec_prefix" = xNONE ++ then ++ am_py_exec_prefix=$am_py_prefix ++ else ++ am_py_exec_prefix=$exec_prefix ++ fi ++ am_cv_python_pyexecdir=`$PYTHON -c " ++$am_python_setup_sysconfig ++if can_use_sysconfig: ++ sitedir = sysconfig.get_path('platlib', vars={'platbase':'$am_py_prefix'}) ++else: ++ from distutils import sysconfig ++ sitedir = sysconfig.get_python_lib(1, 0, prefix='$am_py_prefix') ++sys.stdout.write(sitedir)"` ++ case $am_cv_python_pyexecdir in ++ $am_py_exec_prefix*) ++ am__strip_prefix=`echo "$am_py_exec_prefix" | sed 's|.|.|g'` ++ am_cv_python_pyexecdir=`echo "$am_cv_python_pyexecdir" | sed "s,^$am__strip_prefix,$PYTHON_EXEC_PREFIX,"` ++ ;; ++ *) ++ case $am_py_exec_prefix in ++ /usr|/System*) ;; ++ *) ++ am_cv_python_pyexecdir=$PYTHON_EXEC_PREFIX/lib/python$PYTHON_VERSION/site-packages ++ ;; ++ esac ++ ;; ++ esac + + fi +-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +-fi +- +-if test "x$smart_include" = "x"; then ++{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $am_cv_python_pyexecdir" >&5 ++$as_echo "$am_cv_python_pyexecdir" >&6; } ++ pyexecdir=$am_cv_python_pyexecdir + +- for prefix in $smart_prefix; do + + +-if test "x$LOCATE" != "x"; then +- DIRS= +- file="${_prefix}/${1}" ++ pkgpyexecdir=\${pyexecdir}/$PACKAGE + +- for x in `${LOCATE} $file 2>/dev/null`; do +- base=`echo $x | sed "s%/${file}%%"` +- if test "x$x" = "x$base"; then +- continue; +- fi +- +- dir=`${DIRNAME} $x 2>/dev/null` +- exclude=`echo ${dir} | ${GREP} /home` +- if test "x$exclude" != "x"; then +- continue +- fi +- +- already=`echo \$_smart_include_dir ${DIRS} | ${GREP} ${dir}` +- if test "x$already" = "x"; then +- DIRS="$DIRS $dir" +- fi +- done +-fi + +-eval "_smart_include_dir=\"\$_smart_include_dir $DIRS\"" + +- done ++ fi + + +-if test "x$LOCATE" != "x"; then +- DIRS= +- file=Python.h + +- for x in `${LOCATE} $file 2>/dev/null`; do +- base=`echo $x | sed "s%/${file}%%"` +- if test "x$x" = "x$base"; then +- continue; +- fi ++ PYTHON3_CONFIG_BIN= + +- dir=`${DIRNAME} $x 2>/dev/null` +- exclude=`echo ${dir} | ${GREP} /home` +- if test "x$exclude" != "x"; then +- continue +- fi ++# Check whether --with-rlm-python3-config-bin was given. ++if test "${with_rlm_python3_config_bin+set}" = set; then : ++ withval=$with_rlm_python3_config_bin; case "$withval" in ++ no) ++ as_fn_error $? "Need rlm-python3-config-bin" "$LINENO" 5 ++ ;; ++ yes) ++ ;; ++ *) ++ PYTHON3_CONFIG_BIN="$withval" ++ ;; ++ esac + +- already=`echo \$_smart_include_dir ${DIRS} | ${GREP} ${dir}` +- if test "x$already" = "x"; then +- DIRS="$DIRS $dir" +- fi +- done + fi + +-eval "_smart_include_dir=\"\$_smart_include_dir $DIRS\"" +- +- +- for try in $_smart_include_dir; do +- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for Python.h in $try" >&5 +-$as_echo_n "checking for Python.h in $try... " >&6; } +- CPPFLAGS="-isystem $try $old_CPPFLAGS" +- cat confdefs.h - <<_ACEOF >conftest.$ac_ext +-/* end confdefs.h. */ +- +- #include +-int +-main () +-{ +-int a = 1; +- ; +- return 0; +-} +-_ACEOF +-if ac_fn_c_try_compile "$LINENO"; then : +- +- smart_include="-isystem $try" +- { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +-$as_echo "yes" >&6; } +- break + ++ if test "x$PYTHON3_CONFIG_BIN" = x; then ++ for ac_prog in python3-config ++do ++ # Extract the first word of "$ac_prog", so it can be a program name with args. ++set dummy $ac_prog; ac_word=$2 ++{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 ++$as_echo_n "checking for $ac_word... " >&6; } ++if ${ac_cv_prog_PYTHON3_CONFIG_BIN+:} false; then : ++ $as_echo_n "(cached) " >&6 + else +- +- smart_include= +- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +-$as_echo "no" >&6; } +- +-fi +-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext ++ if test -n "$PYTHON3_CONFIG_BIN"; then ++ ac_cv_prog_PYTHON3_CONFIG_BIN="$PYTHON3_CONFIG_BIN" # Let the user override the test. ++else ++as_save_IFS=$IFS; IFS=$PATH_SEPARATOR ++as_dummy="${PATH}:/usr/bin:/usr/local/bin" ++for as_dir in $as_dummy ++do ++ IFS=$as_save_IFS ++ test -z "$as_dir" && as_dir=. ++ for ac_exec_ext in '' $ac_executable_extensions; do ++ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ++ ac_cv_prog_PYTHON3_CONFIG_BIN="$ac_prog" ++ $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 ++ break 2 ++ fi ++done + done +- CPPFLAGS="$old_CPPFLAGS" +-fi +- +-if test "x$smart_include" != "x"; then +- eval "ac_cv_header_$ac_safe=yes" +- CPPFLAGS="$smart_include $old_CPPFLAGS" +- SMART_CPPFLAGS="$smart_include $SMART_CPPFLAGS" +-fi +- +-smart_prefix= +- +- CFLAGS=$old_CFLAGS +- +- if test "x$ac_cv_header_Python_h" = "xyes"; then +- mod_cflags="$SMART_CPPFLAGS" +- else +- fail="$fail Python.h" +- targetname= +- fi +- +- old_LIBS=$LIBS +- LIBS="$LIBS $PY_LIB_LOC $PY_EXTRA_LIBS -lm" +- smart_try_dir=$PY_LIB_DIR +- +- +-sm_lib_safe=`echo "python${PY_SYS_VERSION}" | sed 'y%./+-%__p_%'` +-sm_func_safe=`echo "Py_Initialize" | sed 'y%./+-%__p_%'` +- +-old_LIBS="$LIBS" +-old_CPPFLAGS="$CPPFLAGS" +-smart_lib= +-smart_ldflags= +-smart_lib_dir= +- +-if test "x$smart_try_dir" != "x"; then +- for try in $smart_try_dir; do +- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for Py_Initialize in -lpython${PY_SYS_VERSION} in $try" >&5 +-$as_echo_n "checking for Py_Initialize in -lpython${PY_SYS_VERSION} in $try... " >&6; } +- LIBS="-lpython${PY_SYS_VERSION} $old_LIBS" +- CPPFLAGS="-L$try -Wl,-rpath,$try $old_CPPFLAGS" +- cat confdefs.h - <<_ACEOF >conftest.$ac_ext +-/* end confdefs.h. */ +-extern char Py_Initialize(); +-int +-main () +-{ +-Py_Initialize() +- ; +- return 0; +-} +-_ACEOF +-if ac_fn_c_try_link "$LINENO"; then : +- +- smart_lib="-lpython${PY_SYS_VERSION}" +- smart_ldflags="-L$try -Wl,-rpath,$try" +- { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +-$as_echo "yes" >&6; } +- break ++IFS=$as_save_IFS + +-else +- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +-$as_echo "no" >&6; } + fi +-rm -f core conftest.err conftest.$ac_objext \ +- conftest$ac_exeext conftest.$ac_ext +- done +- LIBS="$old_LIBS" +- CPPFLAGS="$old_CPPFLAGS" + fi +- +-if test "x$smart_lib" = "x"; then +- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for Py_Initialize in -lpython${PY_SYS_VERSION}" >&5 +-$as_echo_n "checking for Py_Initialize in -lpython${PY_SYS_VERSION}... " >&6; } +- LIBS="-lpython${PY_SYS_VERSION} $old_LIBS" +- cat confdefs.h - <<_ACEOF >conftest.$ac_ext +-/* end confdefs.h. */ +-extern char Py_Initialize(); +-int +-main () +-{ +-Py_Initialize() +- ; +- return 0; +-} +-_ACEOF +-if ac_fn_c_try_link "$LINENO"; then : +- +- smart_lib="-lpython${PY_SYS_VERSION}" +- { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +-$as_echo "yes" >&6; } +- ++PYTHON3_CONFIG_BIN=$ac_cv_prog_PYTHON3_CONFIG_BIN ++if test -n "$PYTHON3_CONFIG_BIN"; then ++ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $PYTHON3_CONFIG_BIN" >&5 ++$as_echo "$PYTHON3_CONFIG_BIN" >&6; } + else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 + $as_echo "no" >&6; } + fi +-rm -f core conftest.err conftest.$ac_objext \ +- conftest$ac_exeext conftest.$ac_ext +- LIBS="$old_LIBS" +-fi + +-if test "x$smart_lib" = "x"; then + ++ test -n "$PYTHON3_CONFIG_BIN" && break ++done ++test -n "$PYTHON3_CONFIG_BIN" || PYTHON3_CONFIG_BIN="not-found" + +-if test "x$LOCATE" != "x"; then +- DIRS= +- file=libpython${PY_SYS_VERSION}${libltdl_cv_shlibext} +- +- for x in `${LOCATE} $file 2>/dev/null`; do +- base=`echo $x | sed "s%/${file}%%"` +- if test "x$x" = "x$base"; then +- continue; +- fi +- +- dir=`${DIRNAME} $x 2>/dev/null` +- exclude=`echo ${dir} | ${GREP} /home` +- if test "x$exclude" != "x"; then +- continue +- fi +- +- already=`echo \$smart_lib_dir ${DIRS} | ${GREP} ${dir}` +- if test "x$already" = "x"; then +- DIRS="$DIRS $dir" +- fi +- done +-fi +- +-eval "smart_lib_dir=\"\$smart_lib_dir $DIRS\"" +- +- +- +-if test "x$LOCATE" != "x"; then +- DIRS= +- file=libpython${PY_SYS_VERSION}.a +- +- for x in `${LOCATE} $file 2>/dev/null`; do +- base=`echo $x | sed "s%/${file}%%"` +- if test "x$x" = "x$base"; then +- continue; +- fi +- +- dir=`${DIRNAME} $x 2>/dev/null` +- exclude=`echo ${dir} | ${GREP} /home` +- if test "x$exclude" != "x"; then +- continue +- fi +- +- already=`echo \$smart_lib_dir ${DIRS} | ${GREP} ${dir}` +- if test "x$already" = "x"; then +- DIRS="$DIRS $dir" +- fi +- done +-fi +- +-eval "smart_lib_dir=\"\$smart_lib_dir $DIRS\"" +- +- +- for try in $smart_lib_dir /usr/local/lib /opt/lib; do +- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for Py_Initialize in -lpython${PY_SYS_VERSION} in $try" >&5 +-$as_echo_n "checking for Py_Initialize in -lpython${PY_SYS_VERSION} in $try... " >&6; } +- LIBS="-lpython${PY_SYS_VERSION} $old_LIBS" +- CPPFLAGS="-L$try -Wl,-rpath,$try $old_CPPFLAGS" +- cat confdefs.h - <<_ACEOF >conftest.$ac_ext +-/* end confdefs.h. */ +-extern char Py_Initialize(); +-int +-main () +-{ +-Py_Initialize() +- ; +- return 0; +-} +-_ACEOF +-if ac_fn_c_try_link "$LINENO"; then : +- +- smart_lib="-lpython${PY_SYS_VERSION}" +- smart_ldflags="-L$try -Wl,-rpath,$try" +- { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +-$as_echo "yes" >&6; } +- break ++ fi + ++ if test "x$PYTHON3_CONFIG_BIN" = xnot-found; then ++ fail="$fail python3-config" ++ else ++ old_CFLAGS="$CFLAGS" ++ unset CFLAGS ++ ++ python3_cflags=`${PYTHON3_CONFIG_BIN} --cflags` ++ { $as_echo "$as_me:${as_lineno-$LINENO}: ${PYTHON3_CONFIG_BIN}'s cflags were \"${python3_cflags}\"" >&5 ++$as_echo "$as_me: ${PYTHON3_CONFIG_BIN}'s cflags were \"${python3_cflags}\"" >&6;} ++ ++ mod_cflags=`echo $python3_cflags | sed -e '\ ++ s/-I/-isystem/g;\ ++ s/-isysroot[ =]\{0,1\}[^-]*//g;\ ++ s/-O[^[[:blank:]]]*//g;\ ++ s/-Wp,-D_FORTIFY_SOURCE=[[:digit:]]//g;\ ++ s/-g[^ ]*//g;\ ++ s/-W[^ ]*//g;\ ++ s/-DNDEBUG[[:blank:]]*//g; ++ '` ++ { $as_echo "$as_me:${as_lineno-$LINENO}: Sanitized cflags were \"${mod_cflags}\"" >&5 ++$as_echo "$as_me: Sanitized cflags were \"${mod_cflags}\"" >&6;} ++ ++ for ac_prog in gawk mawk nawk awk ++do ++ # Extract the first word of "$ac_prog", so it can be a program name with args. ++set dummy $ac_prog; ac_word=$2 ++{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 ++$as_echo_n "checking for $ac_word... " >&6; } ++if ${ac_cv_prog_AWK+:} false; then : ++ $as_echo_n "(cached) " >&6 + else +- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +-$as_echo "no" >&6; } +-fi +-rm -f core conftest.err conftest.$ac_objext \ +- conftest$ac_exeext conftest.$ac_ext ++ if test -n "$AWK"; then ++ ac_cv_prog_AWK="$AWK" # Let the user override the test. ++else ++as_save_IFS=$IFS; IFS=$PATH_SEPARATOR ++for as_dir in $PATH ++do ++ IFS=$as_save_IFS ++ test -z "$as_dir" && as_dir=. ++ for ac_exec_ext in '' $ac_executable_extensions; do ++ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ++ ac_cv_prog_AWK="$ac_prog" ++ $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 ++ break 2 ++ fi ++done + done +- LIBS="$old_LIBS" +- CPPFLAGS="$old_CPPFLAGS" +-fi +- +-if test "x$smart_lib" != "x"; then +- eval "ac_cv_lib_${sm_lib_safe}_${sm_func_safe}=yes" +- LIBS="$smart_ldflags $smart_lib $old_LIBS" +- SMART_LIBS="$smart_ldflags $smart_lib $SMART_LIBS" +-fi +- +- LIBS=$old_LIBS +- +- eval t=\${ac_cv_lib_${sm_lib_safe}_${sm_func_safe}} +- if test "x$t" = "xyes"; then +- mod_ldflags="$PY_LIB_LOC $PY_EXTRA_LIBS $SMART_LIBS -lm" +- targetname=rlm_python3 +- else +- +- +-sm_lib_safe=`echo "python${PY_SYS_VERSION}m" | sed 'y%./+-%__p_%'` +-sm_func_safe=`echo "Py_Initialize" | sed 'y%./+-%__p_%'` +- +-old_LIBS="$LIBS" +-old_CPPFLAGS="$CPPFLAGS" +-smart_lib= +-smart_ldflags= +-smart_lib_dir= +- +-if test "x$smart_try_dir" != "x"; then +- for try in $smart_try_dir; do +- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for Py_Initialize in -lpython${PY_SYS_VERSION}m in $try" >&5 +-$as_echo_n "checking for Py_Initialize in -lpython${PY_SYS_VERSION}m in $try... " >&6; } +- LIBS="-lpython${PY_SYS_VERSION}m $old_LIBS" +- CPPFLAGS="-L$try -Wl,-rpath,$try $old_CPPFLAGS" +- cat confdefs.h - <<_ACEOF >conftest.$ac_ext +-/* end confdefs.h. */ +-extern char Py_Initialize(); +-int +-main () +-{ +-Py_Initialize() +- ; +- return 0; +-} +-_ACEOF +-if ac_fn_c_try_link "$LINENO"; then : +- +- smart_lib="-lpython${PY_SYS_VERSION}m" +- smart_ldflags="-L$try -Wl,-rpath,$try" +- { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +-$as_echo "yes" >&6; } +- break ++IFS=$as_save_IFS + +-else +- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +-$as_echo "no" >&6; } + fi +-rm -f core conftest.err conftest.$ac_objext \ +- conftest$ac_exeext conftest.$ac_ext +- done +- LIBS="$old_LIBS" +- CPPFLAGS="$old_CPPFLAGS" + fi +- +-if test "x$smart_lib" = "x"; then +- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for Py_Initialize in -lpython${PY_SYS_VERSION}m" >&5 +-$as_echo_n "checking for Py_Initialize in -lpython${PY_SYS_VERSION}m... " >&6; } +- LIBS="-lpython${PY_SYS_VERSION}m $old_LIBS" +- cat confdefs.h - <<_ACEOF >conftest.$ac_ext +-/* end confdefs.h. */ +-extern char Py_Initialize(); +-int +-main () +-{ +-Py_Initialize() +- ; +- return 0; +-} +-_ACEOF +-if ac_fn_c_try_link "$LINENO"; then : +- +- smart_lib="-lpython${PY_SYS_VERSION}m" +- { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +-$as_echo "yes" >&6; } +- ++AWK=$ac_cv_prog_AWK ++if test -n "$AWK"; then ++ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $AWK" >&5 ++$as_echo "$AWK" >&6; } + else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 + $as_echo "no" >&6; } + fi +-rm -f core conftest.err conftest.$ac_objext \ +- conftest$ac_exeext conftest.$ac_ext +- LIBS="$old_LIBS" +-fi + +-if test "x$smart_lib" = "x"; then + ++ test -n "$AWK" && break ++done + +-if test "x$LOCATE" != "x"; then +- DIRS= +- file=libpython${PY_SYS_VERSION}m${libltdl_cv_shlibext} + +- for x in `${LOCATE} $file 2>/dev/null`; do +- base=`echo $x | sed "s%/${file}%%"` +- if test "x$x" = "x$base"; then +- continue; +- fi + +- dir=`${DIRNAME} $x 2>/dev/null` +- exclude=`echo ${dir} | ${GREP} /home` +- if test "x$exclude" != "x"; then +- continue +- fi + +- already=`echo \$smart_lib_dir ${DIRS} | ${GREP} ${dir}` +- if test "x$already" = "x"; then +- DIRS="$DIRS $dir" +- fi +- done +-fi ++ # Used to indicate true or false condition ++ ax_compare_version=false + +-eval "smart_lib_dir=\"\$smart_lib_dir $DIRS\"" ++ # Convert the two version strings to be compared into a format that ++ # allows a simple string comparison. The end result is that a version ++ # string of the form 1.12.5-r617 will be converted to the form ++ # 0001001200050617. In other words, each number is zero padded to four ++ # digits, and non digits are removed. + ++ ax_compare_version_A=`echo "${PYTHON_VERSION}" | sed -e 's/\([0-9]*\)/Z\1Z/g' \ ++ -e 's/Z\([0-9]\)Z/Z0\1Z/g' \ ++ -e 's/Z\([0-9][0-9]\)Z/Z0\1Z/g' \ ++ -e 's/Z\([0-9][0-9][0-9]\)Z/Z0\1Z/g' \ ++ -e 's/[^0-9]//g'` + + +-if test "x$LOCATE" != "x"; then +- DIRS= +- file=libpython${PY_SYS_VERSION}m.a ++ ax_compare_version_B=`echo "3.8" | sed -e 's/\([0-9]*\)/Z\1Z/g' \ ++ -e 's/Z\([0-9]\)Z/Z0\1Z/g' \ ++ -e 's/Z\([0-9][0-9]\)Z/Z0\1Z/g' \ ++ -e 's/Z\([0-9][0-9][0-9]\)Z/Z0\1Z/g' \ ++ -e 's/[^0-9]//g'` + +- for x in `${LOCATE} $file 2>/dev/null`; do +- base=`echo $x | sed "s%/${file}%%"` +- if test "x$x" = "x$base"; then +- continue; +- fi + +- dir=`${DIRNAME} $x 2>/dev/null` +- exclude=`echo ${dir} | ${GREP} /home` +- if test "x$exclude" != "x"; then +- continue +- fi ++ ax_compare_version=`echo "x$ax_compare_version_A ++x$ax_compare_version_B" | sed 's/^ *//' | sort -r | sed "s/x${ax_compare_version_A}/true/;s/x${ax_compare_version_B}/false/;1q"` + +- already=`echo \$smart_lib_dir ${DIRS} | ${GREP} ${dir}` +- if test "x$already" = "x"; then +- DIRS="$DIRS $dir" +- fi +- done +-fi + +-eval "smart_lib_dir=\"\$smart_lib_dir $DIRS\"" + ++ if test "$ax_compare_version" = "true" ; then ++ EMBED="--embed" ++ fi + +- for try in $smart_lib_dir /usr/local/lib /opt/lib; do +- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for Py_Initialize in -lpython${PY_SYS_VERSION}m in $try" >&5 +-$as_echo_n "checking for Py_Initialize in -lpython${PY_SYS_VERSION}m in $try... " >&6; } +- LIBS="-lpython${PY_SYS_VERSION}m $old_LIBS" +- CPPFLAGS="-L$try -Wl,-rpath,$try $old_CPPFLAGS" +- cat confdefs.h - <<_ACEOF >conftest.$ac_ext +-/* end confdefs.h. */ +-extern char Py_Initialize(); +-int +-main () +-{ +-Py_Initialize() +- ; +- return 0; +-} +-_ACEOF +-if ac_fn_c_try_link "$LINENO"; then : + +- smart_lib="-lpython${PY_SYS_VERSION}m" +- smart_ldflags="-L$try -Wl,-rpath,$try" +- { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +-$as_echo "yes" >&6; } +- break ++ python3_ldflags=`${PYTHON3_CONFIG_BIN} --ldflags $EMBED` ++ { $as_echo "$as_me:${as_lineno-$LINENO}: ${PYTHON3_CONFIG_BIN}'s ldflags were \"$python3_ldflags}\"" >&5 ++$as_echo "$as_me: ${PYTHON3_CONFIG_BIN}'s ldflags were \"$python3_ldflags}\"" >&6;} + +-else +- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +-$as_echo "no" >&6; } +-fi +-rm -f core conftest.err conftest.$ac_objext \ +- conftest$ac_exeext conftest.$ac_ext +- done +- LIBS="$old_LIBS" +- CPPFLAGS="$old_CPPFLAGS" +-fi ++ mod_ldflags=`echo $python3_ldflags | sed -e '\ ++ s/-Wl,-O[[:digit:]][[:blank:]]*//g;\ ++ s/-Wl,-Bsymbolic-functions[[:blank:]]*//g;\ ++ s/-Xlinker -export-dynamic//g;\ ++ s/-Wl,-stack_size,[[:digit:]]*[[:blank:]]//g; ++ '` ++ { $as_echo "$as_me:${as_lineno-$LINENO}: Sanitized ldflags were \"${mod_ldflags}\"" >&5 ++$as_echo "$as_me: Sanitized ldflags were \"${mod_ldflags}\"" >&6;} + +-if test "x$smart_lib" != "x"; then +- eval "ac_cv_lib_${sm_lib_safe}_${sm_func_safe}=yes" +- LIBS="$smart_ldflags $smart_lib $old_LIBS" +- SMART_LIBS="$smart_ldflags $smart_lib $SMART_LIBS" +-fi ++ CFLAGS=$old_CFLAGS + +- eval t=\${ac_cv_lib_${sm_lib_safe}_${sm_func_safe}} +- if test "x$t" = "xyes"; then +- mod_ldflags="$PY_LIB_LOC $PY_EXTRA_LIBS $SMART_LIBS -lm" +- targetname=rlm_python3 +- else +- targetname= +- fail="$fail libpython$PY_SYS_VERSION" +- fi +- fi ++ targetname="rlm_python3" + fi + +- for ac_func in dl_iterate_phdr ++for ac_func in dl_iterate_phdr + do : + ac_fn_c_check_func "$LINENO" "dl_iterate_phdr" "ac_cv_func_dl_iterate_phdr" + if test "x$ac_cv_func_dl_iterate_phdr" = xyes; then : +@@ -3603,11 +3307,7 @@ ac_config_headers="$ac_config_headers config.h" + + + +- +- unset ac_cv_env_LIBS_set +- unset ac_cv_env_LIBS_value +- +- ac_config_files="$ac_config_files all.mk" ++ac_config_files="$ac_config_files all.mk" + + cat >confcache <<\_ACEOF + # This file is a shell script that caches the results of configure +@@ -4187,6 +3887,7 @@ gives unlimited permission to copy, distribute and modify it." + + ac_pwd='$ac_pwd' + srcdir='$srcdir' ++AWK='$AWK' + test -n "\$AWK" || AWK=awk + _ACEOF + +@@ -4881,4 +4582,3 @@ if test -n "$ac_unrecognized_opts" && test "$enable_option_checking" != no; then + $as_echo "$as_me: WARNING: unrecognized options: $ac_unrecognized_opts" >&2;} + fi + +- +diff --git a/src/modules/rlm_python3/configure.ac b/src/modules/rlm_python3/configure.ac +index a00320fda4..698a8c1d18 100644 +--- a/src/modules/rlm_python3/configure.ac ++++ b/src/modules/rlm_python3/configure.ac +@@ -7,128 +7,81 @@ if test x$with_[]modname != xno; then + + AC_PROG_CC + AC_PROG_CPP ++ AM_PATH_PYTHON([3.0],, [:]) + +- dnl extra argument: --with-rlm-python3-bin +- PYTHON3_BIN= +- AC_ARG_WITH(rlm-python3-bin, +- [ --with-rlm-python3-bin=PATH Path to python3 binary []], ++ dnl extra argument: --with-rlm-python3-config-bin ++ PYTHON3_CONFIG_BIN= ++ AC_ARG_WITH(rlm-python3-config-bin, ++ [ --with-rlm-python3-config-bin=PATH Path to python-config3 binary []], + [ case "$withval" in + no) +- AC_MSG_ERROR(Need rlm-python3-bin) ++ AC_MSG_ERROR(Need rlm-python3-config-bin) + ;; + yes) + ;; + *) +- PYTHON3_BIN="$withval" ++ PYTHON3_CONFIG_BIN="$withval" + ;; + esac ] + ) + +- if test "x$PYTHON3_BIN" = x; then +- AC_CHECK_PROGS(PYTHON3_BIN, [ python3 ], not-found, [${PATH}:/usr/bin:/usr/local/bin]) ++ if test "x$PYTHON3_CONFIG_BIN" = x; then ++ AC_CHECK_PROGS(PYTHON3_CONFIG_BIN, [ python3-config ], not-found, [${PATH}:/usr/bin:/usr/local/bin]) + fi + +- if test "x$PYTHON3_BIN" = "xnot-found"; then +- fail="python-binary" +- fi +- +- dnl extra argument: --with-rlm-python3-lib-dir +- PY_LIB_DIR= +- AC_ARG_WITH(rlm-python3-lib-dir, +- [ --with-rlm-python3-lib-dir=DIR Directory for Python library files []], +- [ case "$withval" in +- no) +- AC_MSG_ERROR(Need rlm-python3-lib-dir) +- ;; +- yes) +- ;; +- *) +- PY_LIB_DIR="$withval" +- ;; +- esac ] +- ) +- +- dnl extra argument: --with-rlm-python3-include-dir +- PY_INC_DIR= +- AC_ARG_WITH(rlm-python3-include-dir, +- [ --with-rlm-python3-include-dir=DIR Directory for Python include files []], +- [ case "$withval" in +- no) +- AC_MSG_ERROR(Need rlm-python3-include-dir) +- ;; +- yes) +- ;; +- *) +- PY_INC_DIR="$withval" +- ;; +- esac ] +- ) +- +- if test x$fail = x; then +- PY_PREFIX=`${PYTHON3_BIN} -c 'import sys ; print(sys.prefix)'` +- AC_MSG_NOTICE([Python sys.prefix \"${PY_PREFIX}\"]) +- +- PY_EXEC_PREFIX=`${PYTHON3_BIN} -c 'import sys ; print(sys.exec_prefix)'` +- AC_MSG_NOTICE([Python sys.exec_prefix \"${PY_EXEC_PREFIX}\"]) +- +- PY_SYS_VERSION=`${PYTHON3_BIN} -c 'import sys ; print(sys.version[[0:3]])'` +- AC_MSG_NOTICE([Python sys.version \"${PY_SYS_VERSION}\"]) +- +- if test "x$PY_LIB_DIR" = "x"; then +- PY_LIB_DIR="$PY_EXEC_PREFIX/lib/python${PY_SYS_VERSION}/config" +- PY_LIB_LOC="-L$PY_EXEC_PREFIX/lib/python${PY_SYS_VERSION}/config" +- fi +- +- PY_MAKEFILE="$PY_EXEC_PREFIX/lib/python${PY_SYS_VERSION}/config/Makefile" +- if test -f ${PY_MAKEFILE}; then +- PY_LOCAL_MOD_LIBS=`sed -n -e 's/^LOCALMODLIBS=\(.*\)/\1/p' $PY_MAKEFILE | sed -e 's/[[[:blank:]]]/ /g;s/^ *//;s/ *$//'` +- AC_MSG_NOTICE([Python local_mod_libs \"${PY_LOCAL_MOD_LIBS}\"]) +- +- PY_BASE_MOD_LIBS=`sed -n -e 's/^BASEMODLIBS=\(.*\)/\1/p' $PY_MAKEFILE | sed -e 's/[[[:blank:]]]/ /g;s/^ *//;s/ *$//'` +- AC_MSG_NOTICE([Python base_mod_libs \"${PY_BASE_MOD_LIBS}\"]) +- +- PY_OTHER_LIBS=`sed -n -e 's/^LIBS=\(.*\)/\1/p' $PY_MAKEFILE | sed -e 's/[[[:blank:]]]/ /g;s/ / /g;s/^ *//;s/ *$//'` +- PY_OTHER_LDFLAGS=`sed -n -e 's/^LINKFORSHARED=\(.*\)/\1/p' $PY_MAKEFILE | sed -e 's/[[[:blank:]]]/ /g;s/ / /g;s/^ *//;s/ *$//'` +- AC_MSG_NOTICE([Python other_libs \"${PY_OTHER_LDFLAGS} ${PY_OTHER_LIBS}\"]) +- fi +- PY_EXTRA_LIBS="$PY_LOCALMODLIBS $PY_BASE_MOD_LIBS $PY_OTHER_LIBS" ++ if test "x$PYTHON3_CONFIG_BIN" = xnot-found; then ++ fail="$fail python3-config" ++ else ++ dnl # ++ dnl # It is necessary due to a weird behavior with 'python3-config' ++ dnl # ++ old_CFLAGS="$CFLAGS" ++ unset CFLAGS ++ ++ python3_cflags=`${PYTHON3_CONFIG_BIN} --cflags` ++ AC_MSG_NOTICE([${PYTHON3_CONFIG_BIN}'s cflags were \"${python3_cflags}\"]) ++ ++ dnl # Convert -I to -isystem to get rid of warnings about issues in Python headers ++ dnl # Strip -systemroot ++ dnl # Strip optimisation flags (-O[0-9]?). We decide our optimisation level, not python. ++ dnl # -D_FORTIFY_SOURCE needs -O. ++ dnl # Strip debug symbol flags (-g[0-9]?). We decide on debugging symbols, not python ++ dnl # Strip -W*, we decide what warnings are important ++ dnl # Strip -DNDEBUG ++ mod_cflags=`echo $python3_cflags | sed -e '\ ++ s/-I/-isystem/g;\ ++ s/-isysroot[[ =]]\{0,1\}[[^-]]*//g;\ ++ s/-O[[^[[:blank:]]]]*//g;\ ++ s/-Wp,-D_FORTIFY_SOURCE=[[[:digit:]]]//g;\ ++ s/-g[[^ ]]*//g;\ ++ s/-W[[^ ]]*//g;\ ++ s/-DNDEBUG[[[:blank:]]]*//g; ++ '` ++ AC_MSG_NOTICE([Sanitized cflags were \"${mod_cflags}\"]) ++ ++ dnl # From python 3.8, --embed is required ++ dnl # https://bugs.python.org/issue36721 ++ AX_COMPARE_VERSION(${PYTHON_VERSION}, [ge], [3.8], [EMBED="--embed"], []) ++ ++ python3_ldflags=`${PYTHON3_CONFIG_BIN} --ldflags $EMBED` ++ AC_MSG_NOTICE([${PYTHON3_CONFIG_BIN}'s ldflags were \"$python3_ldflags}\"]) ++ ++ dnl # Strip -Wl,-O1... Is -O even a valid linker flag?? ++ dnl # Strip -Wl,-Bsymbolic-functions as thats not always supported or required ++ dnl # Strip -Xlinker -export-dynamic as it causes weird linking issues on Linux ++ dnl # See: https://bugs.python.org/issue36508 ++ mod_ldflags=`echo $python3_ldflags | sed -e '\ ++ s/-Wl,-O[[[:digit:]]][[[:blank:]]]*//g;\ ++ s/-Wl,-Bsymbolic-functions[[[:blank:]]]*//g;\ ++ s/-Xlinker -export-dynamic//g;\ ++ s/-Wl,-stack_size,[[[:digit:]]]*[[[:blank:]]]//g; ++ '` ++ AC_MSG_NOTICE([Sanitized ldflags were \"${mod_ldflags}\"]) + +- old_CFLAGS=$CFLAGS +- CFLAGS="$CFLAGS $PY_CFLAGS" +- smart_try_dir="$PY_PREFIX/include/python$PY_SYS_VERSION" +- FR_SMART_CHECK_INCLUDE(Python.h) + CFLAGS=$old_CFLAGS + +- if test "x$ac_cv_header_Python_h" = "xyes"; then +- mod_cflags="$SMART_CPPFLAGS" +- else +- fail="$fail Python.h" +- targetname= +- fi +- +- old_LIBS=$LIBS +- LIBS="$LIBS $PY_LIB_LOC $PY_EXTRA_LIBS -lm" +- smart_try_dir=$PY_LIB_DIR +- FR_SMART_CHECK_LIB(python${PY_SYS_VERSION}, Py_Initialize) +- LIBS=$old_LIBS +- +- eval t=\${ac_cv_lib_${sm_lib_safe}_${sm_func_safe}} +- if test "x$t" = "xyes"; then +- mod_ldflags="$PY_LIB_LOC $PY_EXTRA_LIBS $SMART_LIBS -lm" +- targetname=modname +- else +- FR_SMART_CHECK_LIB(python${PY_SYS_VERSION}m, Py_Initialize) +- eval t=\${ac_cv_lib_${sm_lib_safe}_${sm_func_safe}} +- if test "x$t" = "xyes"; then +- mod_ldflags="$PY_LIB_LOC $PY_EXTRA_LIBS $SMART_LIBS -lm" +- targetname=modname +- else +- targetname= +- fail="$fail libpython$PY_SYS_VERSION" +- fi +- fi ++ targetname="rlm_python3" + fi +- + AC_CHECK_FUNCS([dl_iterate_phdr]) + else + targetname= +diff --git a/src/modules/rlm_python3/radiusd_test.py b/src/modules/rlm_python3/radiusd_test.py +deleted file mode 100644 +index 8582716ccb..0000000000 +--- a/src/modules/rlm_python3/radiusd_test.py ++++ /dev/null +@@ -1,63 +0,0 @@ +-#! /usr/bin/env python3 +-# +-# Python module test +-# Miguel A.L. Paraz +-# +-# $Id: 8582716ccbf340be00ce081ecf5ab078e93d1183 $ +- +-import radiusd +- +-def instantiate(p): +- print "*** instantiate ***" +- print p +- +-def authorize(p): +- print "*** authorize ***" +- print +- radiusd.radlog(radiusd.L_INFO, '*** radlog call in authorize ***') +- print +- print p +- return radiusd.RLM_MODULE_OK +- +-def preacct(p): +- print "*** preacct ***" +- print p +- return radiusd.RLM_MODULE_OK +- +-def accounting(p): +- print "*** accounting ***" +- radiusd.radlog(radiusd.L_INFO, '*** radlog call in accounting (0) ***') +- print +- print p +- return radiusd.RLM_MODULE_OK +- +-def pre_proxy(p): +- print "*** pre_proxy ***" +- print p +- return radiusd.RLM_MODULE_OK +- +-def post_proxy(p): +- print "*** post_proxy ***" +- print p +- return radiusd.RLM_MODULE_OK +- +-def post_auth(p): +- print "*** post_auth ***" +- print p +- return radiusd.RLM_MODULE_OK +- +-def recv_coa(p): +- print "*** recv_coa ***" +- print p +- return radiusd.RLM_MODULE_OK +- +-def send_coa(p): +- print "*** send_coa ***" +- print p +- return radiusd.RLM_MODULE_OK +- +- +-def detach(): +- print "*** goodbye from radiusd_test.py ***" +- return radiusd.RLM_MODULE_OK +- +diff --git a/src/modules/rlm_python3/rlm_python3.c b/src/modules/rlm_python3/rlm_python3.c +index 06187e4ffa..5da23f4d71 100644 +--- a/src/modules/rlm_python3/rlm_python3.c ++++ b/src/modules/rlm_python3/rlm_python3.c +@@ -41,8 +41,17 @@ RCSID("$Id$") + #include + #endif + ++/* ++ * Since version 3.8, the "m" suffix is no longer available. ++ * https://bugs.python.org/issue36707 ++ */ ++#if PY_MINOR_VERSION >= 8 + #define LIBPYTHON_LINKER_NAME \ +- "libpython" STRINGIFY(PY_MAJOR_VERSION) "." STRINGIFY(PY_MINOR_VERSION) "m.so" ++ "libpython" STRINGIFY(PY_MAJOR_VERSION) "." STRINGIFY(PY_MINOR_VERSION) LT_SHREXT ++#else ++#define LIBPYTHON_LINKER_NAME \ ++ "libpython" STRINGIFY(PY_MAJOR_VERSION) "." STRINGIFY(PY_MINOR_VERSION) "m" LT_SHREXT ++#endif + + static uint32_t python_instances = 0; + static void *python_dlhandle; +@@ -67,8 +76,10 @@ static CONF_PARSER module_config[] = { + A(preacct) + A(accounting) + A(checksimul) ++#ifdef WITH_PROXY + A(pre_proxy) + A(post_proxy) ++#endif + A(post_auth) + #ifdef WITH_COA + A(recv_coa) +@@ -98,7 +109,9 @@ static struct { + A(L_AUTH) + A(L_INFO) + A(L_ERR) ++#ifdef WITH_PROXY + A(L_PROXY) ++#endif + A(L_ACCT) + A(L_DBG_WARN) + A(L_DBG_ERR) +@@ -186,18 +199,16 @@ static void python_error_log(void) + + if (!pExcType || !pExcValue) { + ERROR("%s:%d, Unknown error", __func__, __LINE__); +- if (pExcType) { +- Py_DecRef(pExcType); +- } +- if (pExcValue) { +- Py_DecRef(pExcValue); +- } ++ Py_XDECREF(pExcType); ++ Py_XDECREF(pExcValue); + return; + } + + if (((pStr1 = PyObject_Str(pExcType)) != NULL) && + ((pStr2 = PyObject_Str(pExcValue)) != NULL)) { + ERROR("%s:%d, Exception type: %s, Exception value: %s", __func__, __LINE__, PyUnicode_AsUTF8(pStr1), PyUnicode_AsUTF8(pStr2)); ++ Py_DECREF(pStr1); ++ Py_DECREF(pStr2); + } + + if (pExcTraceback) { +@@ -217,46 +228,23 @@ static void python_error_log(void) + char *str = PyBytes_AsString(pTraceString); + ERROR("%s:%d, full_backtrace: %s", __func__, __LINE__, str); + +- if (pyth_val) { +- Py_DecRef(pyth_val); +- } +- if (pystr) { +- Py_DecRef(pystr); +- } +- if (pTraceString) { +- Py_DecRef(pTraceString); +- } ++ Py_DECREF(pyth_val); ++ Py_DECREF(pystr); ++ Py_DECREF(pTraceString); ++ Py_DECREF(pyth_func); + } +- if (pyth_func) { +- Py_DecRef(pyth_func); +- } +- Py_DecRef(pyth_module); ++ Py_DECREF(pyth_module); + } else { + ERROR("%s:%d, py_module is null, name: %p", __func__, __LINE__, module_name); + } + +- if (module_name) { +- Py_DecRef(module_name); +- } +- +- Py_DecRef(pRepr); ++ Py_DECREF(module_name); ++ Py_DECREF(pRepr); ++ Py_DECREF(pExcTraceback); + } + +- if (pExcType) { +- Py_DecRef(pExcType); +- } +- if (pExcValue) { +- Py_DecRef(pExcValue); +- } +- if (pExcTraceback) { +- Py_DecRef(pExcTraceback); +- } +- if (pStr1) { +- Py_DecRef(pStr1); +- } +- if (pStr2) { +- Py_DecRef(pStr2); +- } ++ Py_DECREF(pExcType); ++ Py_DECREF(pExcValue); + } + + static void mod_vptuple(TALLOC_CTX *ctx, REQUEST *request, VALUE_PAIR **vps, PyObject *pValue, +@@ -510,6 +498,7 @@ static rlm_rcode_t do_python_single(REQUEST *request, PyObject *pFunc, char cons + goto finish; + } + ++#ifdef WITH_PROXY + /* fill proxy vps */ + if (request->proxy) { + if (!mod_populate_vps(pArgs, 4, request->proxy->vps)) { +@@ -517,10 +506,13 @@ static rlm_rcode_t do_python_single(REQUEST *request, PyObject *pFunc, char cons + ret = RLM_MODULE_FAIL; + goto finish; + } +- } else { ++ } else ++#endif ++ { + mod_populate_vps(pArgs, 4, NULL); + } + ++#ifdef WITH_PROXY + /* fill proxy_reply vps */ + if (request->proxy_reply) { + if (!mod_populate_vps(pArgs, 5, request->proxy_reply->vps)) { +@@ -528,7 +520,9 @@ static rlm_rcode_t do_python_single(REQUEST *request, PyObject *pFunc, char cons + ret = RLM_MODULE_FAIL; + goto finish; + } +- } else { ++ } else ++#endif ++ { + mod_populate_vps(pArgs, 5, NULL); + } + +@@ -550,9 +544,14 @@ static rlm_rcode_t do_python_single(REQUEST *request, PyObject *pFunc, char cons + PyDict_SetItemString(pDictInput, "request", PyTuple_GET_ITEM(pArgs, 0)) || + PyDict_SetItemString(pDictInput, "reply", PyTuple_GET_ITEM(pArgs, 1)) || + PyDict_SetItemString(pDictInput, "config", PyTuple_GET_ITEM(pArgs, 2)) || +- PyDict_SetItemString(pDictInput, "session-state", PyTuple_GET_ITEM(pArgs, 3)) || ++ PyDict_SetItemString(pDictInput, "session-state", PyTuple_GET_ITEM(pArgs, 3)) ++#ifdef WITH_PROXY ++ || + PyDict_SetItemString(pDictInput, "proxy-request", PyTuple_GET_ITEM(pArgs, 4)) || +- PyDict_SetItemString(pDictInput, "proxy-reply", PyTuple_GET_ITEM(pArgs, 5))) { ++ PyDict_SetItemString(pDictInput, "proxy-reply", PyTuple_GET_ITEM(pArgs, 5)) ++#endif ++ ) { ++ + ERROR("%s:%d, %s - PyDict_SetItemString failed", __func__, __LINE__, funcname); + ret = RLM_MODULE_FAIL; + goto finish; +@@ -819,8 +818,10 @@ MOD_FUNC(authorize) + MOD_FUNC(preacct) + MOD_FUNC(accounting) + MOD_FUNC(checksimul) ++#ifdef WITH_PROXY + MOD_FUNC(pre_proxy) + MOD_FUNC(post_proxy) ++#endif + MOD_FUNC(post_auth) + #ifdef WITH_COA + MOD_FUNC(recv_coa) +@@ -1102,7 +1103,7 @@ static int python_interpreter_init(rlm_python_t *inst, CONF_SECTION *conf) + python_dlhandle = dlopen_libpython(RTLD_NOW | RTLD_GLOBAL); + if (!python_dlhandle) WARN("Failed loading libpython symbols into global symbol table"); + +-#if PY_VERSION_HEX > 0x03050000 ++#if PY_VERSION_HEX >= 0x03050000 + { + wchar_t *name; + +@@ -1110,13 +1111,6 @@ static int python_interpreter_init(rlm_python_t *inst, CONF_SECTION *conf) + Py_SetProgramName(name); /* The value of argv[0] as a wide char string */ + PyMem_RawFree(name); + } +-#elif PY_VERSION_HEX > 0x0300000 +- { +- wchar_t *name; +- +- MEM(name = _Py_char2wchar(main_config.name, NULL)); +- Py_SetProgramName(inst->wide_name); /* The value of argv[0] as a wide char string */ +- } + #else + { + char *name; +@@ -1163,37 +1157,34 @@ static int python_interpreter_init(rlm_python_t *inst, CONF_SECTION *conf) + * the lifetime of the module. + */ + if (inst->python_path) { ++ char *p, *path; ++ PyObject *sys = PyImport_ImportModule("sys"); ++ PyObject *sys_path = PyObject_GetAttrString(sys, "path"); ++ ++ memcpy(&p, &inst->python_path, sizeof(path)); ++ ++ for (path = strtok(p, ":"); path != NULL; path = strtok(NULL, ":")) { + #if PY_VERSION_HEX > 0x03050000 +- { +- wchar_t *path; +- PyObject* sys = PyImport_ImportModule("sys"); +- PyObject* sys_path = PyObject_GetAttrString(sys,"path"); +- +- MEM(path = Py_DecodeLocale(inst->python_path, NULL)); +- PyList_Append(sys_path, PyUnicode_FromWideChar(path,-1)); +- PyObject_SetAttrString(sys,"path",sys_path); +- PyMem_RawFree(path); +- } ++ wchar_t *py_path; ++ ++ MEM(py_path = Py_DecodeLocale(path, NULL)); ++ PyList_Append(sys_path, PyUnicode_FromWideChar(py_path, -1)); ++ PyMem_RawFree(py_path); + #elif PY_VERSION_HEX > 0x03000000 +- { +- wchar_t *path; +- PyObject* sys = PyImport_ImportModule("sys"); +- PyObject* sys_path = PyObject_GetAttrString(sys,"path"); +- +- MEM(path = _Py_char2wchar(inst->python_path, NULL)); +- PyList_Append(sys_path, PyUnicode_FromWideChar(path,-1)); +- PyObject_SetAttrString(sys,"path",sys_path); +- } +-#else +- { +- char *path; ++ wchar_t *py_path; + +- memcpy(&path, &inst->python_path, sizeof(path)); +- Py_SetPath(path); +- } ++ MEM(py_path = _Py_char2wchar(path, NULL)); ++ PyList_Append(sys_path, PyUnicode_FromWideChar(py_path, -1)); ++ PyMem_RawFree(py_path); ++#else ++ PyList_Append(sys_path, PyLong_FromString(path)); + #endif +- } ++ } + ++ PyObject_SetAttrString(sys, "path", sys_path); ++ Py_DecRef(sys); ++ Py_DecRef(sys_path); ++ } + } else { + inst->module = main_module; + Py_IncRef(inst->module); +@@ -1220,7 +1211,7 @@ static int python_interpreter_init(rlm_python_t *inst, CONF_SECTION *conf) + static int mod_instantiate(CONF_SECTION *conf, void *instance) + { + rlm_python_t *inst = instance; +- int code = 0; ++ int code = RLM_MODULE_OK; + + inst->name = cf_section_name2(conf); + if (!inst->name) inst->name = cf_section_name1(conf); +@@ -1245,8 +1236,10 @@ static int mod_instantiate(CONF_SECTION *conf, void *instance) + PYTHON_FUNC_LOAD(preacct); + PYTHON_FUNC_LOAD(accounting); + PYTHON_FUNC_LOAD(checksimul); ++#ifdef WITH_PROXY + PYTHON_FUNC_LOAD(pre_proxy); + PYTHON_FUNC_LOAD(post_proxy); ++#endif + PYTHON_FUNC_LOAD(post_auth); + #ifdef WITH_COA + PYTHON_FUNC_LOAD(recv_coa); +@@ -1257,12 +1250,14 @@ static int mod_instantiate(CONF_SECTION *conf, void *instance) + /* + * Call the instantiate function. + */ +- code = do_python_single(NULL, inst->instantiate.function, "instantiate", inst->pass_all_vps, inst->pass_all_vps_dict); +- if (code < 0) { +- error: +- python_error_log(); /* Needs valid thread with GIL */ +- PyEval_SaveThread(); +- return -1; ++ if (inst->instantiate.function) { ++ code = do_python_single(NULL, inst->instantiate.function, "instantiate", inst->pass_all_vps, inst->pass_all_vps_dict); ++ if (code < 0) { ++ error: ++ python_error_log(); /* Needs valid thread with GIL */ ++ PyEval_SaveThread(); ++ return -1; ++ } + } + PyEval_SaveThread(); + +@@ -1272,22 +1267,31 @@ static int mod_instantiate(CONF_SECTION *conf, void *instance) + static int mod_detach(void *instance) + { + rlm_python_t *inst = instance; +- int ret; ++ int ret = RLM_MODULE_OK; + + /* + * Call module destructor + */ + PyEval_RestoreThread(inst->sub_interpreter); + +- ret = do_python_single(NULL, inst->detach.function, "detach", inst->pass_all_vps, inst->pass_all_vps_dict); ++ if (inst->detach.function) ret = do_python_single(NULL, inst->detach.function, "detach", inst->pass_all_vps, inst->pass_all_vps_dict); + + #define PYTHON_FUNC_DESTROY(_x) python_function_destroy(&inst->_x) + PYTHON_FUNC_DESTROY(instantiate); +- PYTHON_FUNC_DESTROY(authorize); + PYTHON_FUNC_DESTROY(authenticate); ++ PYTHON_FUNC_DESTROY(authorize); + PYTHON_FUNC_DESTROY(preacct); + PYTHON_FUNC_DESTROY(accounting); + PYTHON_FUNC_DESTROY(checksimul); ++#ifdef WITH_PROXY ++ PYTHON_FUNC_DESTROY(pre_proxy); ++ PYTHON_FUNC_DESTROY(post_proxy); ++#endif ++ PYTHON_FUNC_DESTROY(post_auth); ++#ifdef WITH_COA ++ PYTHON_FUNC_DESTROY(recv_coa); ++ PYTHON_FUNC_DESTROY(send_coa); ++#endif + PYTHON_FUNC_DESTROY(detach); + + Py_DecRef(inst->pythonconf_dict); +@@ -1313,14 +1317,8 @@ static int mod_detach(void *instance) + PyThreadState_Swap(main_interpreter); /* Swap to the main thread */ + Py_Finalize(); + dlclose(python_dlhandle); +- +-#if PY_VERSION_HEX > 0x03050000 +- //if (inst->wide_name) PyMem_RawFree(inst->wide_name); +- //if (inst->wide_path) PyMem_RawFree(inst->wide_path); +-#endif + } + +- + return ret; + } + +@@ -1348,8 +1346,10 @@ module_t rlm_python3 = { + [MOD_PREACCT] = mod_preacct, + [MOD_ACCOUNTING] = mod_accounting, + [MOD_SESSION] = mod_checksimul, ++#ifdef WITH_PROXY + [MOD_PRE_PROXY] = mod_pre_proxy, + [MOD_POST_PROXY] = mod_post_proxy, ++#endif + [MOD_POST_AUTH] = mod_post_auth, + #ifdef WITH_COA + [MOD_RECV_COA] = mod_recv_coa, +-- +2.26.2 + diff --git a/SOURCES/freeradius-listen-ipv6-fix.patch b/SOURCES/freeradius-listen-ipv6-fix.patch deleted file mode 100644 index 3ab1066..0000000 --- a/SOURCES/freeradius-listen-ipv6-fix.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 98510efd0e2930d8924b47009945a0fb1bd75a29 Mon Sep 17 00:00:00 2001 -From: Alexander Scheel -Date: Mon, 22 Apr 2019 14:38:19 -0400 -Subject: [PATCH] Allow listen.ipaddr to reference an IPv6-only host - -In 5452b13cefa3b30f1da467ff5d68b3c1aa471188, these lines were added -which effectively result in a listen.ipaddr only allowing hostnames to -resolve to IPv4 addresses. With a hostname with only a IPv6 address, -it'll bail with the error message: - -radiusd: #### Opening IP addresses and Ports #### -listen { - type = "auth" -Failed resolving "ipv6.cipherboy.com" to IPv4 address: - Name or service not known - -This directly contradicts the language in the default configuration -file, so support resolving both IPv4-only and IPv6-only hostnames. - -Signed-off-by: Alexander Scheel ---- - src/lib/misc.c | 7 ------- - 1 file changed, 7 deletions(-) - -diff --git a/src/lib/misc.c b/src/lib/misc.c -index dff21e33f7..5520d8a0a4 100644 ---- a/src/lib/misc.c -+++ b/src/lib/misc.c -@@ -607,13 +607,6 @@ int fr_pton(fr_ipaddr_t *out, char const *value, ssize_t inlen, int af, bool res - fr_strerror_printf("Invalid address"); - return -1; - } -- -- /* -- * Fall through to resolving the address, using -- * whatever address family they prefer. If they -- * don't specify an address family, force IPv4. -- */ -- if (af == AF_UNSPEC) af = AF_INET; - } - - /* diff --git a/SOURCES/freeradius-man-Fix-some-typos.patch b/SOURCES/freeradius-man-Fix-some-typos.patch deleted file mode 100644 index 26d84de..0000000 --- a/SOURCES/freeradius-man-Fix-some-typos.patch +++ /dev/null @@ -1,94 +0,0 @@ -From 285f6f1891e8e8acfeb7281136efdae50dbfbe78 Mon Sep 17 00:00:00 2001 -From: Nikolai Kondrashov -Date: Fri, 14 Sep 2018 11:53:28 +0300 -Subject: [PATCH] man: Fix some typos - ---- - man/man5/radrelay.conf.5 | 2 +- - man/man5/rlm_files.5 | 2 +- - man/man5/unlang.5 | 8 ++++---- - man/man8/radrelay.8 | 2 +- - 4 files changed, 7 insertions(+), 7 deletions(-) - -diff --git a/man/man5/radrelay.conf.5 b/man/man5/radrelay.conf.5 -index 5fb38bfc4e..e3e665024b 100644 ---- a/man/man5/radrelay.conf.5 -+++ b/man/man5/radrelay.conf.5 -@@ -26,7 +26,7 @@ Many sites run multiple radius servers; at least one primary and one - backup server. When the primary goes down, most NASes detect that and - switch to the backup server. - --That will cause your accounting packets to go the the backup server - -+That will cause your accounting packets to go to the backup server - - and some NASes don't even switch back to the primary server when it - comes back up. - -diff --git a/man/man5/rlm_files.5 b/man/man5/rlm_files.5 -index bfee5030ff..52f4734ae3 100644 ---- a/man/man5/rlm_files.5 -+++ b/man/man5/rlm_files.5 -@@ -48,7 +48,7 @@ This configuration entry enables you to have configurations that - perform per-group checks, and return per-group attributes, where the - group membership is dynamically defined by a previous module. It also - lets you do things like key off of attributes in the reply, and --express policies like like "when I send replies containing attribute -+express policies like "when I send replies containing attribute - FOO with value BAR, do more checks, and maybe send additional - attributes". - .SH CONFIGURATION -diff --git a/man/man5/unlang.5 b/man/man5/unlang.5 -index 76db8f2d1c..12fe7855b2 100644 ---- a/man/man5/unlang.5 -+++ b/man/man5/unlang.5 -@@ -36,7 +36,7 @@ the pre-defined keywords here. - - Subject to a few limitations described below, any keyword can appear - in any context. The language consists of a series of entries, each --one one line. Each entry begins with a keyword. Entries are -+one line. Each entry begins with a keyword. Entries are - organized into lists. Processing of the language is line by line, - from the start of the list to the end. Actions are executed - per-keyword. -@@ -131,7 +131,7 @@ expanded as described in the DATA TYPES section, below. The match is - then performed on the string returned from the expansion. If the - argument is an attribute reference (e.g. &User-Name), then the match - is performed on the value of that attribute. Otherwise, the argument --is taken to be a literal string, and and matching is done via simple -+is taken to be a literal string, and matching is done via simple - comparison. - - No statement other than "case" can appear in a "switch" block. -@@ -155,7 +155,7 @@ expanded as described in the DATA TYPES section, below. The match is - then performed on the string returned from the expansion. If the - argument is an attribute reference (e.g. &User-Name), then the match - is performed on the value of that attribute. Otherwise, the argument --is taken to be a literal string, and and matching is done via simple -+is taken to be a literal string, and matching is done via simple - comparison. - - .DS -@@ -799,7 +799,7 @@ regular expression. If no attribute matches, nothing else is done. - The value can be an attribute reference, or an attribute-specific - string. - --When the value is an an attribute reference, it must take the form of -+When the value is an attribute reference, it must take the form of - "&Attribute-Name". The leading "&" signifies that the value is a - reference. The "Attribute-Name" is an attribute name, such as - "User-Name" or "request:User-Name". When an attribute reference is -diff --git a/man/man8/radrelay.8 b/man/man8/radrelay.8 -index fdba6995d5..99e65732a2 100644 ---- a/man/man8/radrelay.8 -+++ b/man/man8/radrelay.8 -@@ -13,7 +13,7 @@ Many sites run multiple radius servers; at least one primary and one - backup server. When the primary goes down, most NASes detect that and - switch to the backup server. - --That will cause your accounting packets to go the the backup server - -+That will cause your accounting packets to go to the backup server - - and some NASes don't even switch back to the primary server when it - comes back up. - --- -2.18.0 - diff --git a/SOURCES/freeradius-no-buildtime-cert-gen.patch b/SOURCES/freeradius-no-buildtime-cert-gen.patch new file mode 100644 index 0000000..aa3be66 --- /dev/null +++ b/SOURCES/freeradius-no-buildtime-cert-gen.patch @@ -0,0 +1,104 @@ +From e6f7c9d4c2af1cda7760ca8155166bb5d4d541d0 Mon Sep 17 00:00:00 2001 +From: Alexander Scheel +Date: Wed, 8 May 2019 12:58:02 -0400 +Subject: [PATCH] Don't generate certificates in reproducible builds + +Signed-off-by: Alexander Scheel +--- + Make.inc.in | 5 +++++ + configure | 4 ++++ + configure.ac | 3 +++ + raddb/all.mk | 4 ++++ + 4 files changed, 16 insertions(+) + +diff --git a/Make.inc.in b/Make.inc.in +index 0b2cd74de8..8c623cf95c 100644 +--- a/Make.inc.in ++++ b/Make.inc.in +@@ -173,3 +173,8 @@ else + TESTBINDIR = ./$(BUILD_DIR)/bin + TESTBIN = ./$(BUILD_DIR)/bin + endif ++ ++# ++# With reproducible builds, do not generate certificates during installation ++# ++ENABLE_REPRODUCIBLE_BUILDS = @ENABLE_REPRODUCIBLE_BUILDS@ +diff --git a/configure b/configure +index c2c599c92b..3d4403a844 100755 +--- a/configure ++++ b/configure +@@ -655,6 +655,7 @@ RUSERS + SNMPWALK + SNMPGET + PERL ++ENABLE_REPRODUCIBLE_BUILDS + openssl_version_check_config + WITH_DHCP + modconfdir +@@ -5586,6 +5587,7 @@ else + fi + + ++ENABLE_REPRODUCIBLE_BUILDS=yes + # Check whether --enable-reproducible-builds was given. + if test "${enable_reproducible_builds+set}" = set; then : + enableval=$enable_reproducible_builds; case "$enableval" in +@@ -5597,6 +5599,7 @@ $as_echo "#define ENABLE_REPRODUCIBLE_BUILDS 1" >>confdefs.h + ;; + *) + reproducible_builds=no ++ ENABLE_REPRODUCIBLE_BUILDS=no + esac + + fi +@@ -5604,6 +5607,7 @@ fi + + + ++ + CHECKRAD=checkrad + # Extract the first word of "perl", so it can be a program name with args. + set dummy perl; ac_word=$2 +diff --git a/configure.ac b/configure.ac +index a7abf0025a..35b013f4af 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -619,6 +619,7 @@ AC_SUBST([openssl_version_check_config]) + dnl # + dnl # extra argument: --enable-reproducible-builds + dnl # ++ENABLE_REPRODUCIBLE_BUILDS=yes + AC_ARG_ENABLE(reproducible-builds, + [AS_HELP_STRING([--enable-reproducible-builds], + [ensure the build does not change each time])], +@@ -630,8 +631,10 @@ AC_ARG_ENABLE(reproducible-builds, + ;; + *) + reproducible_builds=no ++ ENABLE_REPRODUCIBLE_BUILDS=no + esac ] + ) ++AC_SUBST(ENABLE_REPRODUCIBLE_BUILDS) + + + dnl ############################################################# +diff --git a/raddb/all.mk b/raddb/all.mk +index c966edd657..c8e976a499 100644 +--- a/raddb/all.mk ++++ b/raddb/all.mk +@@ -124,7 +124,11 @@ $(R)$(raddbdir)/users: $(R)$(modconfdir)/files/authorize + ifneq "$(LOCAL_CERT_PRODUCTS)" "" + $(LOCAL_CERT_PRODUCTS): + @echo BOOTSTRAP raddb/certs/ ++ifeq "$(ENABLE_REPRODUCIBLE_BUILDS)" "yes" ++ @$(MAKE) -C $(R)$(raddbdir)/certs/ passwords.mk ++else + @$(MAKE) -C $(R)$(raddbdir)/certs/ ++endif + + # Bootstrap is special + $(R)$(raddbdir)/certs/bootstrap: | raddb/certs/bootstrap $(LOCAL_CERT_PRODUCTS) +-- +2.21.0 + diff --git a/SOURCES/freeradius-no-dh-param-load-FIPS.patch b/SOURCES/freeradius-no-dh-param-load-FIPS.patch new file mode 100644 index 0000000..b727a26 --- /dev/null +++ b/SOURCES/freeradius-no-dh-param-load-FIPS.patch @@ -0,0 +1,45 @@ +From 42693cba452efa00a4848beb1514229149520cc1 Mon Sep 17 00:00:00 2001 +From: Alexander Scheel +Date: Wed, 5 Aug 2020 11:39:45 -0400 +Subject: [PATCH] Ignore user-provided dhparams in FIPS mode (#3554) + +OpenSSL in RHEL 8.3 introduces a breaking change in FIPS mode: +user-provided dhparams will be ignored (and dhparam generation +may fail as well), unless they are on the FIPS approved list of +parameters. However, OpenSSL since v1.1.1 will automatically select +an appropriate DH parameter set anyways, if the user did not provide +any. These will be FIPS approved. + +Signed-off-by: Alexander Scheel +--- + src/main/tls.c | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) + +diff --git a/src/main/tls.c b/src/main/tls.c +index 5809a1bd7d..5e6493333c 100644 +--- a/src/main/tls.c ++++ b/src/main/tls.c +@@ -1352,6 +1352,23 @@ static int load_dh_params(SSL_CTX *ctx, char *file) + + if (!file) return 0; + ++ /* ++ * Prior to trying to load the file, check what OpenSSL will do with it. ++ * ++ * Certain downstreams (such as RHEL) will ignore user-provided dhparams ++ * in FIPS mode, unless the specified parameters are FIPS-approved. ++ * However, since OpenSSL >= 1.1.1 will automatically select parameters ++ * anyways, there's no point in attempting to load them. ++ * ++ * Change suggested by @t8m ++ */ ++#if OPENSSL_VERSION_NUMBER >= 0x10101000L ++ if (FIPS_mode() > 0) { ++ WARN(LOG_PREFIX ": Ignoring user-selected DH parameters in FIPS mode. Using defaults."); ++ return 0; ++ } ++#endif ++ + if ((bio = BIO_new_file(file, "r")) == NULL) { + ERROR(LOG_PREFIX ": Unable to open DH file - %s", file); + return -1; diff --git a/SOURCES/freeradius-python2-shebangs.patch b/SOURCES/freeradius-python2-shebangs.patch deleted file mode 100644 index 86954db..0000000 --- a/SOURCES/freeradius-python2-shebangs.patch +++ /dev/null @@ -1,64 +0,0 @@ -From b8a6ac05977845851f02151ca35c3a51e88bd534 Mon Sep 17 00:00:00 2001 -From: Alexander Scheel -Date: Thu, 18 Oct 2018 12:40:53 -0400 -Subject: [PATCH] Clarify shebangs to be python2 - -Signed-off-by: Alexander Scheel ---- - scripts/radtee | 2 +- - src/modules/rlm_python/example.py | 2 +- - src/modules/rlm_python/prepaid.py | 2 +- - src/modules/rlm_python/radiusd.py | 2 +- - src/modules/rlm_python/radiusd_test.py | 2 +- - 5 files changed, 5 insertions(+), 5 deletions(-) - -diff --git a/scripts/radtee b/scripts/radtee -index 123769d244..78b4bcbe0b 100755 ---- a/scripts/radtee -+++ b/scripts/radtee -@@ -1,4 +1,4 @@ --#!/usr/bin/env python -+#!/usr/bin/env python2 - from __future__ import with_statement - - # RADIUS comparison tee v1.0 -diff --git a/src/modules/rlm_python/example.py b/src/modules/rlm_python/example.py -index 5950a07678..eaf456e349 100644 ---- a/src/modules/rlm_python/example.py -+++ b/src/modules/rlm_python/example.py -@@ -1,4 +1,4 @@ --#! /usr/bin/env python -+#! /usr/bin/env python2 - # - # Python module example file - # Miguel A.L. Paraz -diff --git a/src/modules/rlm_python/prepaid.py b/src/modules/rlm_python/prepaid.py -index c3cbf57b8f..3b1dc2e2e8 100644 ---- a/src/modules/rlm_python/prepaid.py -+++ b/src/modules/rlm_python/prepaid.py -@@ -1,4 +1,4 @@ --#! /usr/bin/env python -+#! /usr/bin/env python2 - # - # Example Python module for prepaid usage using MySQL - -diff --git a/src/modules/rlm_python/radiusd.py b/src/modules/rlm_python/radiusd.py -index c535bb3caf..7129923994 100644 ---- a/src/modules/rlm_python/radiusd.py -+++ b/src/modules/rlm_python/radiusd.py -@@ -1,4 +1,4 @@ --#! /usr/bin/env python -+#! /usr/bin/env python2 - # - # Definitions for RADIUS programs - # -diff --git a/src/modules/rlm_python/radiusd_test.py b/src/modules/rlm_python/radiusd_test.py -index 13b7128b29..97b5b64f08 100644 ---- a/src/modules/rlm_python/radiusd_test.py -+++ b/src/modules/rlm_python/radiusd_test.py -@@ -1,4 +1,4 @@ --#! /usr/bin/env python -+#! /usr/bin/env python2 - # - # Python module test - # Miguel A.L. Paraz diff --git a/SOURCES/freeradius-tmpfiles.conf b/SOURCES/freeradius-tmpfiles.conf index ead7a2f..8f20796 100644 --- a/SOURCES/freeradius-tmpfiles.conf +++ b/SOURCES/freeradius-tmpfiles.conf @@ -1 +1 @@ -D /var/run/radiusd 0710 radiusd radiusd - +D /run/radiusd 0710 radiusd radiusd - diff --git a/SOURCES/radiusd.service b/SOURCES/radiusd.service index 32ed926..d073530 100644 --- a/SOURCES/radiusd.service +++ b/SOURCES/radiusd.service @@ -1,11 +1,12 @@ [Unit] Description=FreeRADIUS high performance RADIUS server. -After=syslog.target network-online.target ipa.service dirsrv.target krb5kdc.service +After=syslog.target network-online.target ipa.service dirsrv.target krb5kdc.service mysql.service mariadb.service postgresql.service [Service] Type=forking PIDFile=/var/run/radiusd/radiusd.pid ExecStartPre=-/bin/chown -R radiusd.radiusd /var/run/radiusd +ExecStartPre=/bin/sh /etc/raddb/certs/bootstrap ExecStartPre=/usr/sbin/radiusd -C ExecStart=/usr/sbin/radiusd -d /etc/raddb ExecReload=/usr/sbin/radiusd -C diff --git a/SOURCES/rfc3526-group-18-8192.pem b/SOURCES/rfc3526-group-18-8192.pem new file mode 100644 index 0000000..af54dd6 --- /dev/null +++ b/SOURCES/rfc3526-group-18-8192.pem @@ -0,0 +1,24 @@ +-----BEGIN DH PARAMETERS----- +MIIECAKCBAEA///////////JD9qiIWjCNMTGYouA3BzRKQJOCIpnzHQCC76mOxOb +IlFKCHmONATd75UZs806QxswKwpt8l8UN0/hNW1tUcJF5IW1dmJefsb0TELppjft +awv/XLb0Brft7jhr+1qJn6WunyQRfEsf5kkoZlHs5Fs9wgB8uKFjvwWY2kg2HFXT +mmkWP6j9JM9fg2VdI9yjrZYcYvNWIIVSu57VKQdwlpZtZww1Tkq8mATxdGwIyhgh +fDKQXkYuNs474553LBgOhgObJ4Oi7Aeij7XFXfBvTFLJ3ivL9pVYFxg5lUl86pVq +5RXSJhiY+gUQFXKOWoqqxC2tMxcNBFB6M6hVIavfHLpk7PuFBFjb7wqK6nFXXQYM +fbOXD4Wm4eTHq/WujNsJM9cejJTgSiVhnc7j0iYa0u5r8S/6BtmKCGTYdgJzPshq +ZFIfKxgXeyAMu+EXV3phXWx3CYjAutlG4gjiT6B05asxQ9tb/OD9EI5LgtEgqSEI +ARpyPBKnh+bXiHGaEL26WyaZwycYavTiPBqUaDS2FQvaJYPpyirUTOjbu8LbBN6O ++S6O/BQfvsqmKHxZR05rwF2ZspZPoJDDoiM7oYZRW+ftH2EpcM7i16+4G912IXBI +HNAGkSfVsFqpk7TqmI2P3cGG/7fckKbAj030Nck0AoSSNsP6tNJ8cCbB1NyyYCZG +3sl1HnY9uje9+P+UBq2eUw7l2zgvQTABrrBqU+2QJ9gxF5cnsIZaiRjaPtvrz5sU +7UTObLrO1Lsb238UR+bMJUszIFFRK9evQm+49AE3jNK/WYPKAcZLkuzwMuoV0XId +A/SC185udP721V5wL0aYDIK1qEAxkAscnlnnyX++x+jzI6l6fjbMiL4PHUW3/1ha +xUvUB7IrQVSqzI9tfr9I4dgUzF7SD4A34KeXFe7ym+MoBqHVi7fF2nb1UKo9ih+/ +8OsZzLGjE9Vc2lbJ7C7yljI4f+jXbjwEaAQ+j2Y/SGDuEr8tWwt0dNbmlPkebb4R +WXSjkm8S/uXkOHd8tqky34zYvsTQc7kxujvIMraNndMAdB+nv4r8R+0ldvaTa6Qk +ZjqrY5xa5PVoNCO0dCvxyXgjjxbL451lLeP9uL78hIrZIiIuBKQDfAcT61eoGiPw +xzRz/GRs6jBrS8vIhi+Dhd36nUt/osCH6HloMwPtW906Bis89bOieKZtKhP4P0T4 +Ld8xDuB0q2o2RZfomaAlXcFk8xzFCEaFHfmrSBld7X6hsdUQvX7nTXP682vDHs+i +aDWQRvTrh5+SQAlDi0gcbNeImgAu1e44K8kZDab8Am5HlVjkR1Z36aqeMFDidlaU +38gfVuiAuW5xYMmA3Zjt09///////////wIBAg== +-----END DH PARAMETERS----- diff --git a/SPECS/freeradius.spec b/SPECS/freeradius.spec index 2771e27..040a696 100644 --- a/SPECS/freeradius.spec +++ b/SPECS/freeradius.spec @@ -8,8 +8,8 @@ Summary: High-performance and highly configurable free RADIUS server Name: freeradius -Version: 3.0.17 -Release: 7%{?dist} +Version: 3.0.20 +Release: 3%{?dist} License: GPLv2+ and LGPLv2+ Group: System Environment/Daemons URL: http://www.freeradius.org/ @@ -28,18 +28,16 @@ Source100: radiusd.service Source102: freeradius-logrotate Source103: freeradius-pam-conf Source104: freeradius-tmpfiles.conf +Source105: rfc3526-group-18-8192.pem Patch1: freeradius-Adjust-configuration-to-fit-Red-Hat-specifics.patch Patch2: freeradius-Use-system-crypto-policy-by-default.patch -Patch3: freeradius-man-Fix-some-typos.patch -Patch4: freeradius-Add-missing-option-descriptions.patch -Patch5: freeradius-OpenSSL-HMAC-MD5.patch -Patch6: freeradius-OpenSSL-HMAC-SHA1.patch -Patch7: freeradius-python2-shebangs.patch -Patch8: freeradius-EAP-PWD-curve-handling.patch -Patch9: freeradius-listen-ipv6-fix.patch -Patch10: freeradius-EAP-PWD-information-leak-10-iterations.patch - +Patch3: freeradius-bootstrap-create-only.patch +Patch4: freeradius-no-buildtime-cert-gen.patch +Patch5: freeradius-fixes-to-python3-module-since-v3.0.20.patch +Patch6: freeradius-bootstrap-make-permissions.patch +Patch7: freeradius-no-dh-param-load-FIPS.patch +Patch8: freeradius-bootstrap-fixed-dhparam.patch %global docdir %{?_pkgdocdir}%{!?_pkgdocdir:%{_docdir}/%{name}-%{version}} @@ -71,7 +69,7 @@ Requires(pre): shadow-utils glibc-common Requires(post): systemd-sysv Requires(post): systemd-units # Needed for certificate generation -Requires(post): make +Requires: make Requires(preun): systemd-units Requires(postun): systemd-units @@ -154,7 +152,7 @@ This plugin provides the Perl support for the FreeRADIUS server project. %if %{with python2} %package -n python2-freeradius -Summary: Python support for freeradius +Summary: Python 2 support for freeradius Group: System Environment/Daemons Requires: %{name} = %{version}-%{release} BuildRequires: python2-devel @@ -165,10 +163,19 @@ Provides: %{name}-python%{?_isa} = %{version}-%{release} Obsoletes: %{name}-python < %{version}-%{release} %description -n python2-freeradius -This plugin provides the Python support for the FreeRADIUS server project. +This plugin provides the Python 2 support for the FreeRADIUS server project. # endif: with python2 %endif +%package -n python3-freeradius +Summary: Python 3 support for freeradius +Requires: %{name} = %{version}-%{release} +BuildRequires: python3-devel +%{?python_provide:%python_provide python3-freeradius} + +%description -n python3-freeradius +This plugin provides the Python 3 support for the FreeRADIUS server project. + %package mysql Summary: MySQL support for freeradius Group: System Environment/Daemons @@ -227,13 +234,22 @@ This plugin provides the REST support for the FreeRADIUS server project. %patch6 -p1 %patch7 -p1 %patch8 -p1 -%patch9 -p1 -%patch10 -p1 + +# Add fixed dhparam file to the source to ensure `make tests` can run. +cp %{SOURCE105} raddb/certs/rfc3526-group-18-8192.dhparam %build # Force compile/link options, extra security for network facing daemon %global _hardened_build 1 +# Hack: rlm_python3 as stable; prevents building other unstable modules. +sed 's/rlm_python.*/rlm_python3/g' src/modules/stable -i + +# python3-config is broken: +# https://bugzilla.redhat.com/show_bug.cgi?id=1772988 +export PY3_LIB_DIR=%{_libdir}/"$(python3-config --configdir | sed 's#/usr/lib/##g')" +export PY3_INC_DIR="$(python3 -c 'import sysconfig; print(sysconfig.get_config_var("INCLUDEPY"))')" + %configure \ --libdir=%{_libdir}/freeradius \ --enable-reproducible-builds \ @@ -249,6 +265,12 @@ This plugin provides the REST support for the FreeRADIUS server project. --with-unixodbc-lib-dir=%{_libdir} \ --with-rlm-dbm-lib-dir=%{_libdir} \ --with-rlm-krb5-include-dir=/usr/kerberos/include \ + --with-rlm_python3 \ + --with-rlm-python3-lib-dir=$PY3_LIB_DIR \ + --with-rlm-python3-include-dir=$PY3_INC_DIR \ +%if %{without python2} + --without-rlm-python2 \ +%endif --without-rlm_eap_ikev2 \ --without-rlm_eap_tnc \ --without-rlm_sql_iodbc \ @@ -256,11 +278,6 @@ This plugin provides the REST support for the FreeRADIUS server project. --without-rlm_sql_db2 \ --without-rlm_sql_oracle \ --without-rlm_unbound \ -%if %{without python2} - --without-rlm_python \ - --without-python \ - --disable-python \ -%endif --without-rlm_redis \ --without-rlm_rediswho \ --without-rlm_cache_memcached @@ -285,12 +302,16 @@ install -d -m 0710 %{buildroot}%{_localstatedir}/run/radiusd/ install -d -m 0700 %{buildroot}%{_localstatedir}/run/radiusd/tmp install -m 0644 %{SOURCE104} %{buildroot}%{_tmpfilesdir}/radiusd.conf +# Add fixed dhparam file +install -m 0644 %{SOURCE105} %{buildroot}/%{_sysconfdir}/raddb/certs/rfc3526-group-18-8192.dhparam + # install SNMP MIB files mkdir -p $RPM_BUILD_ROOT%{_datadir}/snmp/mibs/ install -m 644 mibs/*RADIUS*.mib $RPM_BUILD_ROOT%{_datadir}/snmp/mibs/ # remove unneeded stuff rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/certs/*.crt +rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/certs/*.crl rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/certs/*.csr rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/certs/*.der rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/certs/*.key @@ -324,11 +345,6 @@ rm $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/sites-available/abfab* rm $RPM_BUILD_ROOT/%{_libdir}/freeradius/rlm_test.so -# conditionally remove python due to it being python2-only -%if %{without python2} -rm $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/mods-available/python -%endif - # Remove yubikey on RHEL %if 0%{?rhel} rm $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/mods-available/yubikey @@ -338,6 +354,10 @@ rm $RPM_BUILD_ROOT/%{_libdir}/freeradius/rlm_yubikey.so # remove unsupported config files rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/experimental.conf +# Mongo will never be supported on Fedora or RHEL +rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/mods-config/sql/ippool/mongo/queries.conf +rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/mods-config/sql/main/mongo/queries.conf + # install doc files omitted by standard install for f in COPYRIGHT CREDITS INSTALL.rst README.rst VERSION; do cp $f $RPM_BUILD_ROOT/%{docdir} @@ -369,12 +389,6 @@ exit 0 %post %systemd_post radiusd.service -if [ $1 -eq 1 ]; then # install - # Initial installation - if [ ! -e /etc/raddb/certs/server.pem ]; then - /sbin/runuser -g radiusd -c 'umask 007; /etc/raddb/certs/bootstrap' > /dev/null 2>&1 - fi -fi exit 0 %preun @@ -440,6 +454,7 @@ exit 0 /etc/raddb/certs/README %config(noreplace) /etc/raddb/certs/xpextensions %attr(640,root,radiusd) %config(noreplace) /etc/raddb/certs/*.cnf +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/certs/rfc3526-group-18-8192.dhparam %attr(750,root,radiusd) /etc/raddb/certs/bootstrap # mods-config @@ -467,6 +482,7 @@ exit 0 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/robust-proxy-accounting %attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/soh %attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/coa +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/coa-relay %attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/example %attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/inner-tunnel %attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/dhcp @@ -531,6 +547,8 @@ exit 0 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/pap %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/passwd %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/preprocess +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/python +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/python3 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/radutmp %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/realm %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/redis @@ -598,6 +616,7 @@ exit 0 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/policy.d/eap %attr(640,root,radiusd) %config(noreplace) /etc/raddb/policy.d/filter %attr(640,root,radiusd) %config(noreplace) /etc/raddb/policy.d/operator-name +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/policy.d/rfc7542 # binaries @@ -758,6 +777,12 @@ exit 0 # endif: with python2 %endif +%files -n python3-freeradius +%dir %attr(750,root,radiusd) /etc/raddb/mods-config/python3 +/etc/raddb/mods-config/python3/example.py* +/etc/raddb/mods-config/python3/radiusd.py* +%{_libdir}/freeradius/rlm_python3.so + %files mysql %dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/counter/mysql %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/mysql/dailycounter.conf @@ -772,6 +797,7 @@ exit 0 %dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/ippool/mysql %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool/mysql/queries.conf %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool/mysql/schema.sql +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool/mysql/procedure.sql %dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/ippool-dhcp/mysql %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool-dhcp/mysql/queries.conf @@ -808,6 +834,7 @@ exit 0 %dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/ippool/postgresql %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool/postgresql/queries.conf %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool/postgresql/schema.sql +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool/postgresql/procedure.sql %dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/main/postgresql %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/postgresql/setup.sql @@ -857,6 +884,22 @@ exit 0 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/rest %changelog +* Thu Aug 06 2020 Alexander Scheel - 3.0.20-3 +- Require make for proper bootstrap execution, removes post script + Resolves: bz#1672285 + +* Wed Aug 05 2020 Alexander Scheel - 3.0.20-2 +- Fix breakage caused by OpenSSL FIPS regression + Related: bz#1855822 + Related: bz#1810911 + Resolves: bz#1672285 + +* Mon Jun 08 2020 Alexander Scheel - 3.0.20-1 +- Update to FreeRADIUS server version 3.0.20 +- Introduce Python 3 support; resolves: bz#1623069 +- DoS issues due to multithreaded BN_CTX access; resolves: bz#1818809 +- Create tmp files in /run; resolves: bz#1805975 + * Fri Nov 22 2019 Alexander Scheel - 3.0.17-7 - Fix information leak due to aborting when needing more than 10 iterations Resolves: bz#1751797