import freeradius-3.0.20-3.module+el8.3.0+7597+67902674

This commit is contained in:
CentOS Sources 2020-11-03 07:00:56 -05:00 committed by Andrew Lukoshko
parent db743c4f8e
commit 11830a4189
22 changed files with 2417 additions and 584 deletions

View File

@ -1 +1 @@
a0d4372ee124cbee6b90a4463ff068afe70e06ca SOURCES/freeradius-server-3.0.17.tar.bz2 3dd0e18fa04aff410876309e4322313b700db2b7 SOURCES/freeradius-server-3.0.20.tar.bz2

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/freeradius-server-3.0.17.tar.bz2 SOURCES/freeradius-server-3.0.20.tar.bz2

View File

@ -1,97 +0,0 @@
From afb196b29606aafb5030e8c7ea414a4bd494cbc0 Mon Sep 17 00:00:00 2001
From: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
Date: Fri, 14 Sep 2018 12:20:11 +0300
Subject: [PATCH] man: Add missing option descriptions
---
man/man8/raddebug.8 | 4 ++++
man/man8/radiusd.8 | 7 +++++++
man/man8/radmin.8 | 4 ++++
3 files changed, 15 insertions(+)
diff --git a/man/man8/raddebug.8 b/man/man8/raddebug.8
index 66e80e64fa..6e27e2453c 100644
--- a/man/man8/raddebug.8
+++ b/man/man8/raddebug.8
@@ -7,6 +7,8 @@ raddebug - Display debugging output from a running server.
.IR condition ]
.RB [ \-d
.IR config_directory ]
+.RB [ \-D
+.IR dictionary_directory ]
.RB [ \-n
.IR name ]
.RB [ \-i
@@ -73,6 +75,8 @@ option is equivalent to using:
.IP "\-d \fIconfig directory\fP"
The radius configuration directory, usually /etc/raddb. See the
\fIradmin\fP manual page for more description of this option.
+.IP "\-D \fIdictionary directory\fP"
+Set main dictionary directory. Defaults to \fI/usr/share/freeradius\fP.
.IP "\-n \fImname\fP"
Read \fIraddb/name.conf\fP instead of \fIraddb/radiusd.conf\fP.
.IP \-I\ \fIipv6-address\fP
diff --git a/man/man8/radiusd.8 b/man/man8/radiusd.8
index c825f22d0d..98aef5e1be 100644
--- a/man/man8/radiusd.8
+++ b/man/man8/radiusd.8
@@ -6,6 +6,8 @@ radiusd - Authentication, Authorization and Accounting server
.RB [ \-C ]
.RB [ \-d
.IR config_directory ]
+.RB [ \-D
+.IR dictionary_directory ]
.RB [ \-f ]
.RB [ \-h ]
.RB [ \-i
@@ -17,6 +19,7 @@ radiusd - Authentication, Authorization and Accounting server
.IR name ]
.RB [ \-p
.IR port ]
+.RB [ \-P ]
.RB [ \-s ]
.RB [ \-t ]
.RB [ \-v ]
@@ -55,6 +58,8 @@ configuration, and which modules are skipped, and therefore not checked.
.IP "\-d \fIconfig directory\fP"
Defaults to \fI/etc/raddb\fP. \fBRadiusd\fP looks here for its configuration
files such as the \fIdictionary\fP and the \fIusers\fP files.
+.IP "\-D \fIdictionary directory\fP"
+Set main dictionary directory. Defaults to \fI/usr/share/freeradius\fP.
.IP \-f
Do not fork, stay running as a foreground process.
.IP \-h
@@ -84,6 +89,8 @@ When this command-line option is given, all "listen" sections in
\fIradiusd.conf\fP are ignored.
This option MUST be used in conjunction with "-i".
+.IP "\-P
+Always write out PID, even with -f.
.IP \-s
Run in "single server" mode. The server normally runs with multiple
threads and/or processes, which can lower its response time to
diff --git a/man/man8/radmin.8 b/man/man8/radmin.8
index 5ecc963d81..5bf661fa71 100644
--- a/man/man8/radmin.8
+++ b/man/man8/radmin.8
@@ -5,6 +5,8 @@ radmin - FreeRADIUS Administration tool
.B radmin
.RB [ \-d
.IR config_directory ]
+.RB [ \-D
+.IR dictionary_directory ]
.RB [ \-e
.IR command ]
.RB [ \-E ]
@@ -34,6 +36,8 @@ The following command-line options are accepted by the program.
Defaults to \fI/etc/raddb\fP. \fBradmin\fP looks here for the server
configuration files to find the "listen" section that defines the
control socket filename.
+.IP "\-D \fIdictionary directory\fP"
+Set main dictionary directory. Defaults to \fI/usr/share/freeradius\fP.
.IP "\-e \fIcommand\fP"
Run \fIcommand\fP and exit.
.IP \-E
--
2.18.0

View File

@ -12,24 +12,24 @@ diff --git a/raddb/mods-available/eap b/raddb/mods-available/eap
index 2621e183c..94494b2c6 100644 index 2621e183c..94494b2c6 100644
--- a/raddb/mods-available/eap --- a/raddb/mods-available/eap
+++ b/raddb/mods-available/eap +++ b/raddb/mods-available/eap
@@ -472,7 +472,7 @@ eap { @@ -533,7 +533,7 @@
#
# You should also delete all of the files # You should also delete all of the files
# in the directory when the server starts. # in the directory when the server starts.
- # tmpdir = /tmp/radiusd #
+ # tmpdir = /var/run/radiusd/tmp - # tmpdir = /tmp/radiusd
+ # tmpdir = /var/run/radiusd/tmp
# The command used to verify the client cert. # The command used to verify the client cert.
# We recommend using the OpenSSL command-line # We recommend using the OpenSSL command-line
@@ -486,7 +486,7 @@ eap { @@ -548,7 +548,7 @@
# in PEM format. This file is automatically
# deleted by the server when the command # deleted by the server when the command
# returns. # returns.
- # client = "/path/to/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}" #
+ # client = "/usr/bin/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}" - # client = "/path/to/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}"
+ # client = "/usr/bin/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}"
} }
# # OCSP Configuration
diff --git a/raddb/radiusd.conf.in b/raddb/radiusd.conf.in diff --git a/raddb/radiusd.conf.in b/raddb/radiusd.conf.in
index a83c1f687..e500cf97b 100644 index a83c1f687..e500cf97b 100644
--- a/raddb/radiusd.conf.in --- a/raddb/radiusd.conf.in

View File

@ -1,45 +0,0 @@
diff --git a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
index 7f91e4b230..848ca2055e 100644
--- a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
+++ b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
@@ -373,11 +373,26 @@ int process_peer_commit (pwd_session_t *session, uint8_t *in, size_t in_len, BN_
data_len = BN_num_bytes(session->order);
BN_bin2bn(ptr, data_len, session->peer_scalar);
+ /* validate received scalar */
+ if (BN_is_zero(session->peer_scalar) ||
+ BN_is_one(session->peer_scalar) ||
+ BN_cmp(session->peer_scalar, session->order) >= 0) {
+ ERROR("Peer's scalar is not within the allowed range");
+ goto finish;
+ }
+
if (!EC_POINT_set_affine_coordinates_GFp(session->group, session->peer_element, x, y, bnctx)) {
DEBUG2("pwd: unable to get coordinates of peer's element");
goto finish;
}
+ /* validate received element */
+ if (!EC_POINT_is_on_curve(session->group, session->peer_element, bnctx) ||
+ EC_POINT_is_at_infinity(session->group, session->peer_element)) {
+ ERROR("Peer's element is not a point on the elliptic curve");
+ goto finish;
+ }
+
/* check to ensure peer's element is not in a small sub-group */
if (BN_cmp(cofactor, BN_value_one())) {
if (!EC_POINT_mul(session->group, point, NULL, session->peer_element, cofactor, NULL)) {
@@ -391,6 +406,13 @@ int process_peer_commit (pwd_session_t *session, uint8_t *in, size_t in_len, BN_
}
}
+ /* detect reflection attacks */
+ if (BN_cmp(session->peer_scalar, session->my_scalar) == 0 ||
+ EC_POINT_cmp(session->group, session->peer_element, session->my_element, bnctx) == 0) {
+ ERROR("Reflection attack detected");
+ goto finish;
+ }
+
/* compute the shared key, k */
if ((!EC_POINT_mul(session->group, K, NULL, session->pwe, session->peer_scalar, bnctx)) ||
(!EC_POINT_add(session->group, K, K, session->peer_element, bnctx)) ||

View File

@ -1,38 +0,0 @@
From 3ea2a5a026e73d81cd9a3e9bbd4300c433004bfa Mon Sep 17 00:00:00 2001
From: Mathy Vanhoef <mathy.vanhoef@nyu.edu>
Date: Wed, 5 Jun 2019 19:21:06 +0000
Subject: [PATCH] EAP-pwd: fix side-channel leak where 1 in 2018 handshakes
fail
Previously the Hunting and Pecking algorithm of EAP-pwd aborted when
more than 10 iterations are needed. Every iteration has a 50% chance
of finding the password element. This means one in every 2048 handshakes
will fail, in which case an error frame is sent to the client. This
event leaks information that can be abused in an offline password
brute-force attack. More precisely, the adversary learns that all 10
iterations failed for the given random EAP-pwd token. Using the same
techniques as in the Dragonblood attack, this can be used to brute-force
the password.
This patch fixes the above issue by executing enough iterations such that
the password element is always found eventually.
Note that timing and cache leaks remain a risk against the current
implementation of EAP-pwd.
---
src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
index c54f08c030..d94851c3aa 100644
--- a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
+++ b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
@@ -192,7 +192,7 @@ int compute_password_element (pwd_session_t *session, uint16_t grp_num,
}
ctr = 0;
while (1) {
- if (ctr > 10) {
+ if (ctr > 100) {
DEBUG("unable to find random point on curve for group %d, something's fishy", grp_num);
goto fail;
}

View File

@ -1,68 +0,0 @@
From b93796b1890b35a0922bfba9cd08e8a1a5f956cf Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Fri, 28 Sep 2018 09:54:46 -0400
Subject: [PATCH 1/2] Replace HMAC-MD5 implementation with OpenSSL's
If OpenSSL EVP is not found, fallback to internal implementation of
HMAC-MD5.
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
src/lib/hmacmd5.c | 34 +++++++++++++++++++++++++++++++++-
1 file changed, 33 insertions(+), 1 deletion(-)
diff --git a/src/lib/hmacmd5.c b/src/lib/hmacmd5.c
index 2c662ff368..1cca00fa2a 100644
--- a/src/lib/hmacmd5.c
+++ b/src/lib/hmacmd5.c
@@ -27,10 +27,41 @@
RCSID("$Id: 2c662ff368e46556edd2cfdf408bd0fca0ab5f18 $")
+#ifdef HAVE_OPENSSL_EVP_H
+#include <openssl/hmac.h>
+#include <openssl/evp.h>
+#endif
+
#include <freeradius-devel/libradius.h>
#include <freeradius-devel/md5.h>
-/** Calculate HMAC using MD5
+#ifdef HAVE_OPENSSL_EVP_H
+/** Calculate HMAC using OpenSSL's MD5 implementation
+ *
+ * @param digest Caller digest to be filled in.
+ * @param text Pointer to data stream.
+ * @param text_len length of data stream.
+ * @param key Pointer to authentication key.
+ * @param key_len Length of authentication key.
+ *
+ */
+void fr_hmac_md5(uint8_t digest[MD5_DIGEST_LENGTH], uint8_t const *text, size_t text_len,
+ uint8_t const *key, size_t key_len)
+{
+ HMAC_CTX *ctx = HMAC_CTX_new();
+
+#ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW
+ /* Since MD5 is not allowed by FIPS, explicitly allow it. */
+ HMAC_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+#endif /* EVP_MD_CTX_FLAG_NON_FIPS_ALLOW */
+
+ HMAC_Init_ex(ctx, key, key_len, EVP_md5(), NULL);
+ HMAC_Update(ctx, text, text_len);
+ HMAC_Final(ctx, digest, NULL);
+ HMAC_CTX_free(ctx);
+}
+#else
+/** Calculate HMAC using internal MD5 implementation
*
* @param digest Caller digest to be filled in.
* @param text Pointer to data stream.
@@ -101,6 +132,7 @@
* hash */
fr_md5_final(digest, &context); /* finish up 2nd pass */
}
+#endif /* HAVE_OPENSSL_EVP_H */
/*
Test Vectors (Trailing '\0' of a character string not included in test):

View File

@ -1,73 +0,0 @@
From 91f663ce1b46ecd99399023ad539f158419272e7 Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Fri, 28 Sep 2018 11:03:52 -0400
Subject: [PATCH 2/2] Replace HMAC-SHA1 implementation with OpenSSL's
If OpenSSL EVP is not found, fallback to internal implementation of
HMAC-SHA1.
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
src/lib/hmacsha1.c | 29 ++++++++++++++++++++++++++++-
1 file changed, 28 insertions(+), 1 deletion(-)
diff --git a/src/lib/hmacsha1.c b/src/lib/hmacsha1.c
index c3cbd87a2c..211470ea35 100644
--- a/src/lib/hmacsha1.c
+++ b/src/lib/hmacsha1.c
@@ -10,13 +10,19 @@
RCSID("$Id: c3cbd87a2c13c47da93fdb1bdfbf6da4c22aaac5 $")
+#ifdef HAVE_OPENSSL_EVP_H
+#include <openssl/hmac.h>
+#include <openssl/evp.h>
+#endif
+
#include <freeradius-devel/libradius.h>
#ifdef HMAC_SHA1_DATA_PROBLEMS
unsigned int sha1_data_problems = 0;
#endif
-/** Calculate HMAC using SHA1
+#ifdef HAVE_OPENSSL_EVP_H
+/** Calculate HMAC using OpenSSL's SHA1 implementation
*
* @param digest Caller digest to be filled in.
* @param text Pointer to data stream.
@@ -28,6 +34,26 @@
void fr_hmac_sha1(uint8_t digest[SHA1_DIGEST_LENGTH], uint8_t const *text, size_t text_len,
uint8_t const *key, size_t key_len)
{
+ HMAC_CTX *ctx = HMAC_CTX_new();
+ HMAC_Init_ex(ctx, key, key_len, EVP_sha1(), NULL);
+ HMAC_Update(ctx, text, text_len);
+ HMAC_Final(ctx, digest, NULL);
+ HMAC_CTX_free(ctx);
+}
+
+#else
+
+/** Calculate HMAC using internal SHA1 implementation
+ *
+ * @param digest Caller digest to be filled in.
+ * @param text Pointer to data stream.
+ * @param text_len length of data stream.
+ * @param key Pointer to authentication key.
+ * @param key_len Length of authentication key.
+ */
+void fr_hmac_sha1(uint8_t digest[SHA1_DIGEST_LENGTH], uint8_t const *text, size_t text_len,
+ uint8_t const *key, size_t key_len)
+{
fr_sha1_ctx context;
uint8_t k_ipad[65]; /* inner padding - key XORd with ipad */
uint8_t k_opad[65]; /* outer padding - key XORd with opad */
@@ -142,6 +168,7 @@
}
#endif
}
+#endif /* HAVE_OPENSSL_EVP_H */
/*
Test Vectors (Trailing '\0' of a character string not included in test):

View File

@ -1,33 +1,43 @@
From d78bf5ab1f5c8102b2b6051cfb1198488be9597d Mon Sep 17 00:00:00 2001 From a7ed62fbcc043a9ec7a4f09962a2cd2acffa019b Mon Sep 17 00:00:00 2001
From: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com> From: Alexander Scheel <ascheel@redhat.com>
Date: Mon, 26 Sep 2016 19:48:36 +0300 Date: Wed, 8 May 2019 10:16:31 -0400
Subject: [PATCH] Use system crypto policy by default Subject: [PATCH] Use system-provided crypto-policies by default
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
--- ---
raddb/mods-available/eap | 2 +- raddb/mods-available/eap | 4 ++--
raddb/mods-available/inner-eap | 2 +- raddb/mods-available/inner-eap | 2 +-
raddb/sites-available/abfab-tls | 2 +- raddb/sites-available/abfab-tls | 2 +-
raddb/sites-available/tls | 4 ++-- raddb/sites-available/tls | 4 ++--
4 files changed, 5 insertions(+), 5 deletions(-) 4 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/raddb/mods-available/eap b/raddb/mods-available/eap diff --git a/raddb/mods-available/eap b/raddb/mods-available/eap
index 94494b2c6..9a8dc9327 100644 index 36849e10f2..b28c0f19c6 100644
--- a/raddb/mods-available/eap --- a/raddb/mods-available/eap
+++ b/raddb/mods-available/eap +++ b/raddb/mods-available/eap
@@ -323,7 +323,7 @@ eap { @@ -368,7 +368,7 @@ eap {
# #
# For EAP-FAST, use "ALL:!EXPORT:!eNULL:!SSLv2" # For EAP-FAST, use "ALL:!EXPORT:!eNULL:!SSLv2"
# #
- cipher_list = "DEFAULT" - cipher_list = "DEFAULT"
+ cipher_list = "PROFILE=SYSTEM" + cipher_list = "PROFILE=SYSTEM"
# If enabled, OpenSSL will use server cipher list # If enabled, OpenSSL will use server cipher list
# (possibly defined by cipher_list option above) # (possibly defined by cipher_list option above)
@@ -912,7 +912,7 @@ eap {
# Note - for OpenSSL 1.1.0 and above you may need
# to add ":@SECLEVEL=0"
#
- # cipher_list = "ALL:!EXPORT:!eNULL:!SSLv2"
+ # cipher_list = "PROFILE=SYSTEM"
# PAC lifetime in seconds (default: seven days)
#
diff --git a/raddb/mods-available/inner-eap b/raddb/mods-available/inner-eap diff --git a/raddb/mods-available/inner-eap b/raddb/mods-available/inner-eap
index 2b4df6267..af9aa88cd 100644 index 576eb7739e..ffa07188e2 100644
--- a/raddb/mods-available/inner-eap --- a/raddb/mods-available/inner-eap
+++ b/raddb/mods-available/inner-eap +++ b/raddb/mods-available/inner-eap
@@ -68,7 +68,7 @@ eap inner-eap { @@ -77,7 +77,7 @@ eap inner-eap {
# certificates. If so, edit this file. # certificates. If so, edit this file.
ca_file = ${cadir}/ca.pem ca_file = ${cadir}/ca.pem
@ -37,7 +47,7 @@ index 2b4df6267..af9aa88cd 100644
# You may want to set a very small fragment size. # You may want to set a very small fragment size.
# The TLS data here needs to go inside of the # The TLS data here needs to go inside of the
diff --git a/raddb/sites-available/abfab-tls b/raddb/sites-available/abfab-tls diff --git a/raddb/sites-available/abfab-tls b/raddb/sites-available/abfab-tls
index 5dbe143da..46b5fea78 100644 index 92f1d6330e..cd69b3905a 100644
--- a/raddb/sites-available/abfab-tls --- a/raddb/sites-available/abfab-tls
+++ b/raddb/sites-available/abfab-tls +++ b/raddb/sites-available/abfab-tls
@@ -19,7 +19,7 @@ listen { @@ -19,7 +19,7 @@ listen {
@ -50,10 +60,10 @@ index 5dbe143da..46b5fea78 100644
cache { cache {
enable = no enable = no
diff --git a/raddb/sites-available/tls b/raddb/sites-available/tls diff --git a/raddb/sites-available/tls b/raddb/sites-available/tls
index cf1cd7a8a..7dd59cb6f 100644 index bbc761b1c5..83cd35b851 100644
--- a/raddb/sites-available/tls --- a/raddb/sites-available/tls
+++ b/raddb/sites-available/tls +++ b/raddb/sites-available/tls
@@ -197,7 +197,7 @@ listen { @@ -215,7 +215,7 @@ listen {
# Set this option to specify the allowed # Set this option to specify the allowed
# TLS cipher suites. The format is listed # TLS cipher suites. The format is listed
# in "man 1 ciphers". # in "man 1 ciphers".
@ -62,7 +72,7 @@ index cf1cd7a8a..7dd59cb6f 100644
# If enabled, OpenSSL will use server cipher list # If enabled, OpenSSL will use server cipher list
# (possibly defined by cipher_list option above) # (possibly defined by cipher_list option above)
@@ -499,7 +499,7 @@ home_server tls { @@ -517,7 +517,7 @@ home_server tls {
# Set this option to specify the allowed # Set this option to specify the allowed
# TLS cipher suites. The format is listed # TLS cipher suites. The format is listed
# in "man 1 ciphers". # in "man 1 ciphers".
@ -72,5 +82,5 @@ index cf1cd7a8a..7dd59cb6f 100644
} }
-- --
2.13.2 2.21.0

View File

@ -0,0 +1,91 @@
From 3f40655ad0708b74a4a41b13c2b21995b157c14d Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Wed, 5 Aug 2020 15:53:45 -0400
Subject: [PATCH] Don't clobber existing files on bootstrap
Rebased: v3.0.20
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
raddb/certs/bootstrap | 35 +++++++++++++++++++----------------
1 file changed, 19 insertions(+), 16 deletions(-)
diff --git a/raddb/certs/bootstrap b/raddb/certs/bootstrap
index 0f719aa..336a2bd 100755
--- a/raddb/certs/bootstrap
+++ b/raddb/certs/bootstrap
@@ -31,52 +31,55 @@ fi
# Don't edit the following text. Instead, edit the Makefile, and
# re-generate these commands.
#
-if [ ! -f dh ]; then
+if [ ! -e dh ]; then
openssl dhparam -out dh 2048 || exit 1
- if [ -e /dev/urandom ] ; then
- ln -sf /dev/urandom random
- else
- date > ./random;
- fi
+ ln -sf /dev/urandom random
fi
-if [ ! -f server.key ]; then
+if [ ! -e server.key ]; then
openssl req -new -out server.csr -keyout server.key -config ./server.cnf || exit 1
+ chmod g+r server.key
fi
-if [ ! -f ca.key ]; then
+if [ ! -e ca.key ]; then
openssl req -new -x509 -keyout ca.key -out ca.pem -days `grep default_days ca.cnf | sed 's/.*=//;s/^ *//'` -config ./ca.cnf || exit 1
fi
-if [ ! -f index.txt ]; then
+if [ ! -e index.txt ]; then
touch index.txt
fi
-if [ ! -f serial ]; then
+if [ ! -e serial ]; then
echo '01' > serial
fi
-if [ ! -f server.crt ]; then
+if [ ! -e server.crt ]; then
openssl ca -batch -keyfile ca.key -cert ca.pem -in server.csr -key `grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out server.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf || exit 1
fi
-if [ ! -f server.p12 ]; then
+if [ ! -e server.p12 ]; then
openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` || exit 1
+ chmod g+r server.p12
fi
-if [ ! -f server.pem ]; then
+if [ ! -e server.pem ]; then
openssl pkcs12 -in server.p12 -out server.pem -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` || exit 1
openssl verify -CAfile ca.pem server.pem || exit 1
+ chmod g+r server.pem
fi
-if [ ! -f ca.der ]; then
+if [ ! -e ca.der ]; then
openssl x509 -inform PEM -outform DER -in ca.pem -out ca.der || exit 1
fi
-if [ ! -f client.key ]; then
+if [ ! -e client.key ]; then
openssl req -new -out client.csr -keyout client.key -config ./client.cnf
+ chmod g+r client.key
fi
-if [ ! -f client.crt ]; then
+if [ ! -e client.crt ]; then
openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key `grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf
fi
+
+chown root:radiusd dh ca.* client.* server.*
+chmod 640 dh ca.* client.* server.*
--
2.26.2

View File

@ -0,0 +1,52 @@
From b31f1ab9a0e1c010037d2d660e3ce4ea7eb07d6c Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Wed, 5 Aug 2020 16:10:52 -0400
Subject: [PATCH] Use fixed FIPS-approved dhparam by default
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
raddb/certs/Makefile | 2 +-
raddb/certs/bootstrap | 7 +++++--
2 files changed, 6 insertions(+), 3 deletions(-)
diff --git a/raddb/certs/Makefile b/raddb/certs/Makefile
index 5cbfd46..41b7aea 100644
--- a/raddb/certs/Makefile
+++ b/raddb/certs/Makefile
@@ -59,7 +59,7 @@ passwords.mk: server.cnf ca.cnf client.cnf inner-server.cnf
#
######################################################################
dh:
- $(OPENSSL) dhparam -out dh -2 $(DH_KEY_SIZE)
+ cp rfc3526-group-18-8192.dhparam dh
######################################################################
#
diff --git a/raddb/certs/bootstrap b/raddb/certs/bootstrap
index 9920ecf..59b3310 100755
--- a/raddb/certs/bootstrap
+++ b/raddb/certs/bootstrap
@@ -13,6 +13,10 @@
umask 027
cd `dirname $0`
+if [ ! -e random ]; then
+ ln -sf /dev/urandom random
+fi
+
make -h > /dev/null 2>&1
#
@@ -35,8 +39,7 @@ fi
# re-generate these commands.
#
if [ ! -e dh ]; then
- openssl dhparam -out dh 2048 || exit 1
- ln -sf /dev/urandom random
+ cp rfc3526-group-18-8192.dhparam dh
fi
if [ ! -e server.key ]; then
--
2.26.2

View File

@ -0,0 +1,29 @@
From ea164ceafa05f96079204a3f0ae379e46e64a455 Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Tue, 4 Aug 2020 10:08:15 -0400
Subject: [PATCH] Fix permissions after generating certificates with make
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
raddb/certs/bootstrap | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/raddb/certs/bootstrap b/raddb/certs/bootstrap
index 336a2bd..9920ecf 100755
--- a/raddb/certs/bootstrap
+++ b/raddb/certs/bootstrap
@@ -21,7 +21,10 @@ make -h > /dev/null 2>&1
#
if [ "$?" = "0" ]; then
make all
- exit $?
+ ret=$?
+ chown root:radiusd dh ca.* client.* server.*
+ chmod 640 dh ca.* client.* server.*
+ exit $ret
fi
#
--
2.26.2

File diff suppressed because it is too large Load Diff

View File

@ -1,42 +0,0 @@
From 98510efd0e2930d8924b47009945a0fb1bd75a29 Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Mon, 22 Apr 2019 14:38:19 -0400
Subject: [PATCH] Allow listen.ipaddr to reference an IPv6-only host
In 5452b13cefa3b30f1da467ff5d68b3c1aa471188, these lines were added
which effectively result in a listen.ipaddr only allowing hostnames to
resolve to IPv4 addresses. With a hostname with only a IPv6 address,
it'll bail with the error message:
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
Failed resolving "ipv6.cipherboy.com" to IPv4 address:
Name or service not known
This directly contradicts the language in the default configuration
file, so support resolving both IPv4-only and IPv6-only hostnames.
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
src/lib/misc.c | 7 -------
1 file changed, 7 deletions(-)
diff --git a/src/lib/misc.c b/src/lib/misc.c
index dff21e33f7..5520d8a0a4 100644
--- a/src/lib/misc.c
+++ b/src/lib/misc.c
@@ -607,13 +607,6 @@ int fr_pton(fr_ipaddr_t *out, char const *value, ssize_t inlen, int af, bool res
fr_strerror_printf("Invalid address");
return -1;
}
-
- /*
- * Fall through to resolving the address, using
- * whatever address family they prefer. If they
- * don't specify an address family, force IPv4.
- */
- if (af == AF_UNSPEC) af = AF_INET;
}
/*

View File

@ -1,94 +0,0 @@
From 285f6f1891e8e8acfeb7281136efdae50dbfbe78 Mon Sep 17 00:00:00 2001
From: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
Date: Fri, 14 Sep 2018 11:53:28 +0300
Subject: [PATCH] man: Fix some typos
---
man/man5/radrelay.conf.5 | 2 +-
man/man5/rlm_files.5 | 2 +-
man/man5/unlang.5 | 8 ++++----
man/man8/radrelay.8 | 2 +-
4 files changed, 7 insertions(+), 7 deletions(-)
diff --git a/man/man5/radrelay.conf.5 b/man/man5/radrelay.conf.5
index 5fb38bfc4e..e3e665024b 100644
--- a/man/man5/radrelay.conf.5
+++ b/man/man5/radrelay.conf.5
@@ -26,7 +26,7 @@ Many sites run multiple radius servers; at least one primary and one
backup server. When the primary goes down, most NASes detect that and
switch to the backup server.
-That will cause your accounting packets to go the the backup server -
+That will cause your accounting packets to go to the backup server -
and some NASes don't even switch back to the primary server when it
comes back up.
diff --git a/man/man5/rlm_files.5 b/man/man5/rlm_files.5
index bfee5030ff..52f4734ae3 100644
--- a/man/man5/rlm_files.5
+++ b/man/man5/rlm_files.5
@@ -48,7 +48,7 @@ This configuration entry enables you to have configurations that
perform per-group checks, and return per-group attributes, where the
group membership is dynamically defined by a previous module. It also
lets you do things like key off of attributes in the reply, and
-express policies like like "when I send replies containing attribute
+express policies like "when I send replies containing attribute
FOO with value BAR, do more checks, and maybe send additional
attributes".
.SH CONFIGURATION
diff --git a/man/man5/unlang.5 b/man/man5/unlang.5
index 76db8f2d1c..12fe7855b2 100644
--- a/man/man5/unlang.5
+++ b/man/man5/unlang.5
@@ -36,7 +36,7 @@ the pre-defined keywords here.
Subject to a few limitations described below, any keyword can appear
in any context. The language consists of a series of entries, each
-one one line. Each entry begins with a keyword. Entries are
+one line. Each entry begins with a keyword. Entries are
organized into lists. Processing of the language is line by line,
from the start of the list to the end. Actions are executed
per-keyword.
@@ -131,7 +131,7 @@ expanded as described in the DATA TYPES section, below. The match is
then performed on the string returned from the expansion. If the
argument is an attribute reference (e.g. &User-Name), then the match
is performed on the value of that attribute. Otherwise, the argument
-is taken to be a literal string, and and matching is done via simple
+is taken to be a literal string, and matching is done via simple
comparison.
No statement other than "case" can appear in a "switch" block.
@@ -155,7 +155,7 @@ expanded as described in the DATA TYPES section, below. The match is
then performed on the string returned from the expansion. If the
argument is an attribute reference (e.g. &User-Name), then the match
is performed on the value of that attribute. Otherwise, the argument
-is taken to be a literal string, and and matching is done via simple
+is taken to be a literal string, and matching is done via simple
comparison.
.DS
@@ -799,7 +799,7 @@ regular expression. If no attribute matches, nothing else is done.
The value can be an attribute reference, or an attribute-specific
string.
-When the value is an an attribute reference, it must take the form of
+When the value is an attribute reference, it must take the form of
"&Attribute-Name". The leading "&" signifies that the value is a
reference. The "Attribute-Name" is an attribute name, such as
"User-Name" or "request:User-Name". When an attribute reference is
diff --git a/man/man8/radrelay.8 b/man/man8/radrelay.8
index fdba6995d5..99e65732a2 100644
--- a/man/man8/radrelay.8
+++ b/man/man8/radrelay.8
@@ -13,7 +13,7 @@ Many sites run multiple radius servers; at least one primary and one
backup server. When the primary goes down, most NASes detect that and
switch to the backup server.
-That will cause your accounting packets to go the the backup server -
+That will cause your accounting packets to go to the backup server -
and some NASes don't even switch back to the primary server when it
comes back up.
--
2.18.0

View File

@ -0,0 +1,104 @@
From e6f7c9d4c2af1cda7760ca8155166bb5d4d541d0 Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Wed, 8 May 2019 12:58:02 -0400
Subject: [PATCH] Don't generate certificates in reproducible builds
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
Make.inc.in | 5 +++++
configure | 4 ++++
configure.ac | 3 +++
raddb/all.mk | 4 ++++
4 files changed, 16 insertions(+)
diff --git a/Make.inc.in b/Make.inc.in
index 0b2cd74de8..8c623cf95c 100644
--- a/Make.inc.in
+++ b/Make.inc.in
@@ -173,3 +173,8 @@ else
TESTBINDIR = ./$(BUILD_DIR)/bin
TESTBIN = ./$(BUILD_DIR)/bin
endif
+
+#
+# With reproducible builds, do not generate certificates during installation
+#
+ENABLE_REPRODUCIBLE_BUILDS = @ENABLE_REPRODUCIBLE_BUILDS@
diff --git a/configure b/configure
index c2c599c92b..3d4403a844 100755
--- a/configure
+++ b/configure
@@ -655,6 +655,7 @@ RUSERS
SNMPWALK
SNMPGET
PERL
+ENABLE_REPRODUCIBLE_BUILDS
openssl_version_check_config
WITH_DHCP
modconfdir
@@ -5586,6 +5587,7 @@ else
fi
+ENABLE_REPRODUCIBLE_BUILDS=yes
# Check whether --enable-reproducible-builds was given.
if test "${enable_reproducible_builds+set}" = set; then :
enableval=$enable_reproducible_builds; case "$enableval" in
@@ -5597,6 +5599,7 @@ $as_echo "#define ENABLE_REPRODUCIBLE_BUILDS 1" >>confdefs.h
;;
*)
reproducible_builds=no
+ ENABLE_REPRODUCIBLE_BUILDS=no
esac
fi
@@ -5604,6 +5607,7 @@ fi
+
CHECKRAD=checkrad
# Extract the first word of "perl", so it can be a program name with args.
set dummy perl; ac_word=$2
diff --git a/configure.ac b/configure.ac
index a7abf0025a..35b013f4af 100644
--- a/configure.ac
+++ b/configure.ac
@@ -619,6 +619,7 @@ AC_SUBST([openssl_version_check_config])
dnl #
dnl # extra argument: --enable-reproducible-builds
dnl #
+ENABLE_REPRODUCIBLE_BUILDS=yes
AC_ARG_ENABLE(reproducible-builds,
[AS_HELP_STRING([--enable-reproducible-builds],
[ensure the build does not change each time])],
@@ -630,8 +631,10 @@ AC_ARG_ENABLE(reproducible-builds,
;;
*)
reproducible_builds=no
+ ENABLE_REPRODUCIBLE_BUILDS=no
esac ]
)
+AC_SUBST(ENABLE_REPRODUCIBLE_BUILDS)
dnl #############################################################
diff --git a/raddb/all.mk b/raddb/all.mk
index c966edd657..c8e976a499 100644
--- a/raddb/all.mk
+++ b/raddb/all.mk
@@ -124,7 +124,11 @@ $(R)$(raddbdir)/users: $(R)$(modconfdir)/files/authorize
ifneq "$(LOCAL_CERT_PRODUCTS)" ""
$(LOCAL_CERT_PRODUCTS):
@echo BOOTSTRAP raddb/certs/
+ifeq "$(ENABLE_REPRODUCIBLE_BUILDS)" "yes"
+ @$(MAKE) -C $(R)$(raddbdir)/certs/ passwords.mk
+else
@$(MAKE) -C $(R)$(raddbdir)/certs/
+endif
# Bootstrap is special
$(R)$(raddbdir)/certs/bootstrap: | raddb/certs/bootstrap $(LOCAL_CERT_PRODUCTS)
--
2.21.0

View File

@ -0,0 +1,45 @@
From 42693cba452efa00a4848beb1514229149520cc1 Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Wed, 5 Aug 2020 11:39:45 -0400
Subject: [PATCH] Ignore user-provided dhparams in FIPS mode (#3554)
OpenSSL in RHEL 8.3 introduces a breaking change in FIPS mode:
user-provided dhparams will be ignored (and dhparam generation
may fail as well), unless they are on the FIPS approved list of
parameters. However, OpenSSL since v1.1.1 will automatically select
an appropriate DH parameter set anyways, if the user did not provide
any. These will be FIPS approved.
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
src/main/tls.c | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/src/main/tls.c b/src/main/tls.c
index 5809a1bd7d..5e6493333c 100644
--- a/src/main/tls.c
+++ b/src/main/tls.c
@@ -1352,6 +1352,23 @@ static int load_dh_params(SSL_CTX *ctx, char *file)
if (!file) return 0;
+ /*
+ * Prior to trying to load the file, check what OpenSSL will do with it.
+ *
+ * Certain downstreams (such as RHEL) will ignore user-provided dhparams
+ * in FIPS mode, unless the specified parameters are FIPS-approved.
+ * However, since OpenSSL >= 1.1.1 will automatically select parameters
+ * anyways, there's no point in attempting to load them.
+ *
+ * Change suggested by @t8m
+ */
+#if OPENSSL_VERSION_NUMBER >= 0x10101000L
+ if (FIPS_mode() > 0) {
+ WARN(LOG_PREFIX ": Ignoring user-selected DH parameters in FIPS mode. Using defaults.");
+ return 0;
+ }
+#endif
+
if ((bio = BIO_new_file(file, "r")) == NULL) {
ERROR(LOG_PREFIX ": Unable to open DH file - %s", file);
return -1;

View File

@ -1,64 +0,0 @@
From b8a6ac05977845851f02151ca35c3a51e88bd534 Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Thu, 18 Oct 2018 12:40:53 -0400
Subject: [PATCH] Clarify shebangs to be python2
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
scripts/radtee | 2 +-
src/modules/rlm_python/example.py | 2 +-
src/modules/rlm_python/prepaid.py | 2 +-
src/modules/rlm_python/radiusd.py | 2 +-
src/modules/rlm_python/radiusd_test.py | 2 +-
5 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/scripts/radtee b/scripts/radtee
index 123769d244..78b4bcbe0b 100755
--- a/scripts/radtee
+++ b/scripts/radtee
@@ -1,4 +1,4 @@
-#!/usr/bin/env python
+#!/usr/bin/env python2
from __future__ import with_statement
# RADIUS comparison tee v1.0
diff --git a/src/modules/rlm_python/example.py b/src/modules/rlm_python/example.py
index 5950a07678..eaf456e349 100644
--- a/src/modules/rlm_python/example.py
+++ b/src/modules/rlm_python/example.py
@@ -1,4 +1,4 @@
-#! /usr/bin/env python
+#! /usr/bin/env python2
#
# Python module example file
# Miguel A.L. Paraz <mparaz@mparaz.com>
diff --git a/src/modules/rlm_python/prepaid.py b/src/modules/rlm_python/prepaid.py
index c3cbf57b8f..3b1dc2e2e8 100644
--- a/src/modules/rlm_python/prepaid.py
+++ b/src/modules/rlm_python/prepaid.py
@@ -1,4 +1,4 @@
-#! /usr/bin/env python
+#! /usr/bin/env python2
#
# Example Python module for prepaid usage using MySQL
diff --git a/src/modules/rlm_python/radiusd.py b/src/modules/rlm_python/radiusd.py
index c535bb3caf..7129923994 100644
--- a/src/modules/rlm_python/radiusd.py
+++ b/src/modules/rlm_python/radiusd.py
@@ -1,4 +1,4 @@
-#! /usr/bin/env python
+#! /usr/bin/env python2
#
# Definitions for RADIUS programs
#
diff --git a/src/modules/rlm_python/radiusd_test.py b/src/modules/rlm_python/radiusd_test.py
index 13b7128b29..97b5b64f08 100644
--- a/src/modules/rlm_python/radiusd_test.py
+++ b/src/modules/rlm_python/radiusd_test.py
@@ -1,4 +1,4 @@
-#! /usr/bin/env python
+#! /usr/bin/env python2
#
# Python module test
# Miguel A.L. Paraz <mparaz@mparaz.com>

View File

@ -1 +1 @@
D /var/run/radiusd 0710 radiusd radiusd - D /run/radiusd 0710 radiusd radiusd -

View File

@ -1,11 +1,12 @@
[Unit] [Unit]
Description=FreeRADIUS high performance RADIUS server. Description=FreeRADIUS high performance RADIUS server.
After=syslog.target network-online.target ipa.service dirsrv.target krb5kdc.service After=syslog.target network-online.target ipa.service dirsrv.target krb5kdc.service mysql.service mariadb.service postgresql.service
[Service] [Service]
Type=forking Type=forking
PIDFile=/var/run/radiusd/radiusd.pid PIDFile=/var/run/radiusd/radiusd.pid
ExecStartPre=-/bin/chown -R radiusd.radiusd /var/run/radiusd ExecStartPre=-/bin/chown -R radiusd.radiusd /var/run/radiusd
ExecStartPre=/bin/sh /etc/raddb/certs/bootstrap
ExecStartPre=/usr/sbin/radiusd -C ExecStartPre=/usr/sbin/radiusd -C
ExecStart=/usr/sbin/radiusd -d /etc/raddb ExecStart=/usr/sbin/radiusd -d /etc/raddb
ExecReload=/usr/sbin/radiusd -C ExecReload=/usr/sbin/radiusd -C

View File

@ -0,0 +1,24 @@
-----BEGIN DH PARAMETERS-----
MIIECAKCBAEA///////////JD9qiIWjCNMTGYouA3BzRKQJOCIpnzHQCC76mOxOb
IlFKCHmONATd75UZs806QxswKwpt8l8UN0/hNW1tUcJF5IW1dmJefsb0TELppjft
awv/XLb0Brft7jhr+1qJn6WunyQRfEsf5kkoZlHs5Fs9wgB8uKFjvwWY2kg2HFXT
mmkWP6j9JM9fg2VdI9yjrZYcYvNWIIVSu57VKQdwlpZtZww1Tkq8mATxdGwIyhgh
fDKQXkYuNs474553LBgOhgObJ4Oi7Aeij7XFXfBvTFLJ3ivL9pVYFxg5lUl86pVq
5RXSJhiY+gUQFXKOWoqqxC2tMxcNBFB6M6hVIavfHLpk7PuFBFjb7wqK6nFXXQYM
fbOXD4Wm4eTHq/WujNsJM9cejJTgSiVhnc7j0iYa0u5r8S/6BtmKCGTYdgJzPshq
ZFIfKxgXeyAMu+EXV3phXWx3CYjAutlG4gjiT6B05asxQ9tb/OD9EI5LgtEgqSEI
ARpyPBKnh+bXiHGaEL26WyaZwycYavTiPBqUaDS2FQvaJYPpyirUTOjbu8LbBN6O
+S6O/BQfvsqmKHxZR05rwF2ZspZPoJDDoiM7oYZRW+ftH2EpcM7i16+4G912IXBI
HNAGkSfVsFqpk7TqmI2P3cGG/7fckKbAj030Nck0AoSSNsP6tNJ8cCbB1NyyYCZG
3sl1HnY9uje9+P+UBq2eUw7l2zgvQTABrrBqU+2QJ9gxF5cnsIZaiRjaPtvrz5sU
7UTObLrO1Lsb238UR+bMJUszIFFRK9evQm+49AE3jNK/WYPKAcZLkuzwMuoV0XId
A/SC185udP721V5wL0aYDIK1qEAxkAscnlnnyX++x+jzI6l6fjbMiL4PHUW3/1ha
xUvUB7IrQVSqzI9tfr9I4dgUzF7SD4A34KeXFe7ym+MoBqHVi7fF2nb1UKo9ih+/
8OsZzLGjE9Vc2lbJ7C7yljI4f+jXbjwEaAQ+j2Y/SGDuEr8tWwt0dNbmlPkebb4R
WXSjkm8S/uXkOHd8tqky34zYvsTQc7kxujvIMraNndMAdB+nv4r8R+0ldvaTa6Qk
ZjqrY5xa5PVoNCO0dCvxyXgjjxbL451lLeP9uL78hIrZIiIuBKQDfAcT61eoGiPw
xzRz/GRs6jBrS8vIhi+Dhd36nUt/osCH6HloMwPtW906Bis89bOieKZtKhP4P0T4
Ld8xDuB0q2o2RZfomaAlXcFk8xzFCEaFHfmrSBld7X6hsdUQvX7nTXP682vDHs+i
aDWQRvTrh5+SQAlDi0gcbNeImgAu1e44K8kZDab8Am5HlVjkR1Z36aqeMFDidlaU
38gfVuiAuW5xYMmA3Zjt09///////////wIBAg==
-----END DH PARAMETERS-----

View File

@ -8,8 +8,8 @@
Summary: High-performance and highly configurable free RADIUS server Summary: High-performance and highly configurable free RADIUS server
Name: freeradius Name: freeradius
Version: 3.0.17 Version: 3.0.20
Release: 7%{?dist} Release: 3%{?dist}
License: GPLv2+ and LGPLv2+ License: GPLv2+ and LGPLv2+
Group: System Environment/Daemons Group: System Environment/Daemons
URL: http://www.freeradius.org/ URL: http://www.freeradius.org/
@ -28,18 +28,16 @@ Source100: radiusd.service
Source102: freeradius-logrotate Source102: freeradius-logrotate
Source103: freeradius-pam-conf Source103: freeradius-pam-conf
Source104: freeradius-tmpfiles.conf Source104: freeradius-tmpfiles.conf
Source105: rfc3526-group-18-8192.pem
Patch1: freeradius-Adjust-configuration-to-fit-Red-Hat-specifics.patch Patch1: freeradius-Adjust-configuration-to-fit-Red-Hat-specifics.patch
Patch2: freeradius-Use-system-crypto-policy-by-default.patch Patch2: freeradius-Use-system-crypto-policy-by-default.patch
Patch3: freeradius-man-Fix-some-typos.patch Patch3: freeradius-bootstrap-create-only.patch
Patch4: freeradius-Add-missing-option-descriptions.patch Patch4: freeradius-no-buildtime-cert-gen.patch
Patch5: freeradius-OpenSSL-HMAC-MD5.patch Patch5: freeradius-fixes-to-python3-module-since-v3.0.20.patch
Patch6: freeradius-OpenSSL-HMAC-SHA1.patch Patch6: freeradius-bootstrap-make-permissions.patch
Patch7: freeradius-python2-shebangs.patch Patch7: freeradius-no-dh-param-load-FIPS.patch
Patch8: freeradius-EAP-PWD-curve-handling.patch Patch8: freeradius-bootstrap-fixed-dhparam.patch
Patch9: freeradius-listen-ipv6-fix.patch
Patch10: freeradius-EAP-PWD-information-leak-10-iterations.patch
%global docdir %{?_pkgdocdir}%{!?_pkgdocdir:%{_docdir}/%{name}-%{version}} %global docdir %{?_pkgdocdir}%{!?_pkgdocdir:%{_docdir}/%{name}-%{version}}
@ -71,7 +69,7 @@ Requires(pre): shadow-utils glibc-common
Requires(post): systemd-sysv Requires(post): systemd-sysv
Requires(post): systemd-units Requires(post): systemd-units
# Needed for certificate generation # Needed for certificate generation
Requires(post): make Requires: make
Requires(preun): systemd-units Requires(preun): systemd-units
Requires(postun): systemd-units Requires(postun): systemd-units
@ -154,7 +152,7 @@ This plugin provides the Perl support for the FreeRADIUS server project.
%if %{with python2} %if %{with python2}
%package -n python2-freeradius %package -n python2-freeradius
Summary: Python support for freeradius Summary: Python 2 support for freeradius
Group: System Environment/Daemons Group: System Environment/Daemons
Requires: %{name} = %{version}-%{release} Requires: %{name} = %{version}-%{release}
BuildRequires: python2-devel BuildRequires: python2-devel
@ -165,10 +163,19 @@ Provides: %{name}-python%{?_isa} = %{version}-%{release}
Obsoletes: %{name}-python < %{version}-%{release} Obsoletes: %{name}-python < %{version}-%{release}
%description -n python2-freeradius %description -n python2-freeradius
This plugin provides the Python support for the FreeRADIUS server project. This plugin provides the Python 2 support for the FreeRADIUS server project.
# endif: with python2 # endif: with python2
%endif %endif
%package -n python3-freeradius
Summary: Python 3 support for freeradius
Requires: %{name} = %{version}-%{release}
BuildRequires: python3-devel
%{?python_provide:%python_provide python3-freeradius}
%description -n python3-freeradius
This plugin provides the Python 3 support for the FreeRADIUS server project.
%package mysql %package mysql
Summary: MySQL support for freeradius Summary: MySQL support for freeradius
Group: System Environment/Daemons Group: System Environment/Daemons
@ -227,13 +234,22 @@ This plugin provides the REST support for the FreeRADIUS server project.
%patch6 -p1 %patch6 -p1
%patch7 -p1 %patch7 -p1
%patch8 -p1 %patch8 -p1
%patch9 -p1
%patch10 -p1 # Add fixed dhparam file to the source to ensure `make tests` can run.
cp %{SOURCE105} raddb/certs/rfc3526-group-18-8192.dhparam
%build %build
# Force compile/link options, extra security for network facing daemon # Force compile/link options, extra security for network facing daemon
%global _hardened_build 1 %global _hardened_build 1
# Hack: rlm_python3 as stable; prevents building other unstable modules.
sed 's/rlm_python.*/rlm_python3/g' src/modules/stable -i
# python3-config is broken:
# https://bugzilla.redhat.com/show_bug.cgi?id=1772988
export PY3_LIB_DIR=%{_libdir}/"$(python3-config --configdir | sed 's#/usr/lib/##g')"
export PY3_INC_DIR="$(python3 -c 'import sysconfig; print(sysconfig.get_config_var("INCLUDEPY"))')"
%configure \ %configure \
--libdir=%{_libdir}/freeradius \ --libdir=%{_libdir}/freeradius \
--enable-reproducible-builds \ --enable-reproducible-builds \
@ -249,6 +265,12 @@ This plugin provides the REST support for the FreeRADIUS server project.
--with-unixodbc-lib-dir=%{_libdir} \ --with-unixodbc-lib-dir=%{_libdir} \
--with-rlm-dbm-lib-dir=%{_libdir} \ --with-rlm-dbm-lib-dir=%{_libdir} \
--with-rlm-krb5-include-dir=/usr/kerberos/include \ --with-rlm-krb5-include-dir=/usr/kerberos/include \
--with-rlm_python3 \
--with-rlm-python3-lib-dir=$PY3_LIB_DIR \
--with-rlm-python3-include-dir=$PY3_INC_DIR \
%if %{without python2}
--without-rlm-python2 \
%endif
--without-rlm_eap_ikev2 \ --without-rlm_eap_ikev2 \
--without-rlm_eap_tnc \ --without-rlm_eap_tnc \
--without-rlm_sql_iodbc \ --without-rlm_sql_iodbc \
@ -256,11 +278,6 @@ This plugin provides the REST support for the FreeRADIUS server project.
--without-rlm_sql_db2 \ --without-rlm_sql_db2 \
--without-rlm_sql_oracle \ --without-rlm_sql_oracle \
--without-rlm_unbound \ --without-rlm_unbound \
%if %{without python2}
--without-rlm_python \
--without-python \
--disable-python \
%endif
--without-rlm_redis \ --without-rlm_redis \
--without-rlm_rediswho \ --without-rlm_rediswho \
--without-rlm_cache_memcached --without-rlm_cache_memcached
@ -285,12 +302,16 @@ install -d -m 0710 %{buildroot}%{_localstatedir}/run/radiusd/
install -d -m 0700 %{buildroot}%{_localstatedir}/run/radiusd/tmp install -d -m 0700 %{buildroot}%{_localstatedir}/run/radiusd/tmp
install -m 0644 %{SOURCE104} %{buildroot}%{_tmpfilesdir}/radiusd.conf install -m 0644 %{SOURCE104} %{buildroot}%{_tmpfilesdir}/radiusd.conf
# Add fixed dhparam file
install -m 0644 %{SOURCE105} %{buildroot}/%{_sysconfdir}/raddb/certs/rfc3526-group-18-8192.dhparam
# install SNMP MIB files # install SNMP MIB files
mkdir -p $RPM_BUILD_ROOT%{_datadir}/snmp/mibs/ mkdir -p $RPM_BUILD_ROOT%{_datadir}/snmp/mibs/
install -m 644 mibs/*RADIUS*.mib $RPM_BUILD_ROOT%{_datadir}/snmp/mibs/ install -m 644 mibs/*RADIUS*.mib $RPM_BUILD_ROOT%{_datadir}/snmp/mibs/
# remove unneeded stuff # remove unneeded stuff
rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/certs/*.crt rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/certs/*.crt
rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/certs/*.crl
rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/certs/*.csr rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/certs/*.csr
rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/certs/*.der rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/certs/*.der
rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/certs/*.key rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/certs/*.key
@ -324,11 +345,6 @@ rm $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/sites-available/abfab*
rm $RPM_BUILD_ROOT/%{_libdir}/freeradius/rlm_test.so rm $RPM_BUILD_ROOT/%{_libdir}/freeradius/rlm_test.so
# conditionally remove python due to it being python2-only
%if %{without python2}
rm $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/mods-available/python
%endif
# Remove yubikey on RHEL # Remove yubikey on RHEL
%if 0%{?rhel} %if 0%{?rhel}
rm $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/mods-available/yubikey rm $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/mods-available/yubikey
@ -338,6 +354,10 @@ rm $RPM_BUILD_ROOT/%{_libdir}/freeradius/rlm_yubikey.so
# remove unsupported config files # remove unsupported config files
rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/experimental.conf rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/experimental.conf
# Mongo will never be supported on Fedora or RHEL
rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/mods-config/sql/ippool/mongo/queries.conf
rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/mods-config/sql/main/mongo/queries.conf
# install doc files omitted by standard install # install doc files omitted by standard install
for f in COPYRIGHT CREDITS INSTALL.rst README.rst VERSION; do for f in COPYRIGHT CREDITS INSTALL.rst README.rst VERSION; do
cp $f $RPM_BUILD_ROOT/%{docdir} cp $f $RPM_BUILD_ROOT/%{docdir}
@ -369,12 +389,6 @@ exit 0
%post %post
%systemd_post radiusd.service %systemd_post radiusd.service
if [ $1 -eq 1 ]; then # install
# Initial installation
if [ ! -e /etc/raddb/certs/server.pem ]; then
/sbin/runuser -g radiusd -c 'umask 007; /etc/raddb/certs/bootstrap' > /dev/null 2>&1
fi
fi
exit 0 exit 0
%preun %preun
@ -440,6 +454,7 @@ exit 0
/etc/raddb/certs/README /etc/raddb/certs/README
%config(noreplace) /etc/raddb/certs/xpextensions %config(noreplace) /etc/raddb/certs/xpextensions
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/certs/*.cnf %attr(640,root,radiusd) %config(noreplace) /etc/raddb/certs/*.cnf
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/certs/rfc3526-group-18-8192.dhparam
%attr(750,root,radiusd) /etc/raddb/certs/bootstrap %attr(750,root,radiusd) /etc/raddb/certs/bootstrap
# mods-config # mods-config
@ -467,6 +482,7 @@ exit 0
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/robust-proxy-accounting %attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/robust-proxy-accounting
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/soh %attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/soh
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/coa %attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/coa
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/coa-relay
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/example %attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/example
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/inner-tunnel %attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/inner-tunnel
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/dhcp %attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/dhcp
@ -531,6 +547,8 @@ exit 0
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/pap %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/pap
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/passwd %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/passwd
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/preprocess %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/preprocess
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/python
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/python3
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/radutmp %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/radutmp
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/realm %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/realm
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/redis %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/redis
@ -598,6 +616,7 @@ exit 0
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/policy.d/eap %attr(640,root,radiusd) %config(noreplace) /etc/raddb/policy.d/eap
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/policy.d/filter %attr(640,root,radiusd) %config(noreplace) /etc/raddb/policy.d/filter
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/policy.d/operator-name %attr(640,root,radiusd) %config(noreplace) /etc/raddb/policy.d/operator-name
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/policy.d/rfc7542
# binaries # binaries
@ -758,6 +777,12 @@ exit 0
# endif: with python2 # endif: with python2
%endif %endif
%files -n python3-freeradius
%dir %attr(750,root,radiusd) /etc/raddb/mods-config/python3
/etc/raddb/mods-config/python3/example.py*
/etc/raddb/mods-config/python3/radiusd.py*
%{_libdir}/freeradius/rlm_python3.so
%files mysql %files mysql
%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/counter/mysql %dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/counter/mysql
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/mysql/dailycounter.conf %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/mysql/dailycounter.conf
@ -772,6 +797,7 @@ exit 0
%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/ippool/mysql %dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/ippool/mysql
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool/mysql/queries.conf %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool/mysql/queries.conf
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool/mysql/schema.sql %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool/mysql/schema.sql
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool/mysql/procedure.sql
%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/ippool-dhcp/mysql %dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/ippool-dhcp/mysql
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool-dhcp/mysql/queries.conf %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool-dhcp/mysql/queries.conf
@ -808,6 +834,7 @@ exit 0
%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/ippool/postgresql %dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/ippool/postgresql
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool/postgresql/queries.conf %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool/postgresql/queries.conf
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool/postgresql/schema.sql %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool/postgresql/schema.sql
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool/postgresql/procedure.sql
%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/main/postgresql %dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/main/postgresql
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/postgresql/setup.sql %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/postgresql/setup.sql
@ -857,6 +884,22 @@ exit 0
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/rest %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/rest
%changelog %changelog
* Thu Aug 06 2020 Alexander Scheel <ascheel@redhat.com> - 3.0.20-3
- Require make for proper bootstrap execution, removes post script
Resolves: bz#1672285
* Wed Aug 05 2020 Alexander Scheel <ascheel@redhat.com> - 3.0.20-2
- Fix breakage caused by OpenSSL FIPS regression
Related: bz#1855822
Related: bz#1810911
Resolves: bz#1672285
* Mon Jun 08 2020 Alexander Scheel <ascheel@redhat.com> - 3.0.20-1
- Update to FreeRADIUS server version 3.0.20
- Introduce Python 3 support; resolves: bz#1623069
- DoS issues due to multithreaded BN_CTX access; resolves: bz#1818809
- Create tmp files in /run; resolves: bz#1805975
* Fri Nov 22 2019 Alexander Scheel <ascheel@redhat.com> - 3.0.17-7 * Fri Nov 22 2019 Alexander Scheel <ascheel@redhat.com> - 3.0.17-7
- Fix information leak due to aborting when needing more than 10 iterations - Fix information leak due to aborting when needing more than 10 iterations
Resolves: bz#1751797 Resolves: bz#1751797