import freeradius-3.0.20-3.module+el8.3.0+7597+67902674
This commit is contained in:
parent
db743c4f8e
commit
11830a4189
@ -1 +1 @@
|
||||
a0d4372ee124cbee6b90a4463ff068afe70e06ca SOURCES/freeradius-server-3.0.17.tar.bz2
|
||||
3dd0e18fa04aff410876309e4322313b700db2b7 SOURCES/freeradius-server-3.0.20.tar.bz2
|
||||
|
2
.gitignore
vendored
2
.gitignore
vendored
@ -1 +1 @@
|
||||
SOURCES/freeradius-server-3.0.17.tar.bz2
|
||||
SOURCES/freeradius-server-3.0.20.tar.bz2
|
||||
|
@ -1,97 +0,0 @@
|
||||
From afb196b29606aafb5030e8c7ea414a4bd494cbc0 Mon Sep 17 00:00:00 2001
|
||||
From: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
|
||||
Date: Fri, 14 Sep 2018 12:20:11 +0300
|
||||
Subject: [PATCH] man: Add missing option descriptions
|
||||
|
||||
---
|
||||
man/man8/raddebug.8 | 4 ++++
|
||||
man/man8/radiusd.8 | 7 +++++++
|
||||
man/man8/radmin.8 | 4 ++++
|
||||
3 files changed, 15 insertions(+)
|
||||
|
||||
diff --git a/man/man8/raddebug.8 b/man/man8/raddebug.8
|
||||
index 66e80e64fa..6e27e2453c 100644
|
||||
--- a/man/man8/raddebug.8
|
||||
+++ b/man/man8/raddebug.8
|
||||
@@ -7,6 +7,8 @@ raddebug - Display debugging output from a running server.
|
||||
.IR condition ]
|
||||
.RB [ \-d
|
||||
.IR config_directory ]
|
||||
+.RB [ \-D
|
||||
+.IR dictionary_directory ]
|
||||
.RB [ \-n
|
||||
.IR name ]
|
||||
.RB [ \-i
|
||||
@@ -73,6 +75,8 @@ option is equivalent to using:
|
||||
.IP "\-d \fIconfig directory\fP"
|
||||
The radius configuration directory, usually /etc/raddb. See the
|
||||
\fIradmin\fP manual page for more description of this option.
|
||||
+.IP "\-D \fIdictionary directory\fP"
|
||||
+Set main dictionary directory. Defaults to \fI/usr/share/freeradius\fP.
|
||||
.IP "\-n \fImname\fP"
|
||||
Read \fIraddb/name.conf\fP instead of \fIraddb/radiusd.conf\fP.
|
||||
.IP \-I\ \fIipv6-address\fP
|
||||
diff --git a/man/man8/radiusd.8 b/man/man8/radiusd.8
|
||||
index c825f22d0d..98aef5e1be 100644
|
||||
--- a/man/man8/radiusd.8
|
||||
+++ b/man/man8/radiusd.8
|
||||
@@ -6,6 +6,8 @@ radiusd - Authentication, Authorization and Accounting server
|
||||
.RB [ \-C ]
|
||||
.RB [ \-d
|
||||
.IR config_directory ]
|
||||
+.RB [ \-D
|
||||
+.IR dictionary_directory ]
|
||||
.RB [ \-f ]
|
||||
.RB [ \-h ]
|
||||
.RB [ \-i
|
||||
@@ -17,6 +19,7 @@ radiusd - Authentication, Authorization and Accounting server
|
||||
.IR name ]
|
||||
.RB [ \-p
|
||||
.IR port ]
|
||||
+.RB [ \-P ]
|
||||
.RB [ \-s ]
|
||||
.RB [ \-t ]
|
||||
.RB [ \-v ]
|
||||
@@ -55,6 +58,8 @@ configuration, and which modules are skipped, and therefore not checked.
|
||||
.IP "\-d \fIconfig directory\fP"
|
||||
Defaults to \fI/etc/raddb\fP. \fBRadiusd\fP looks here for its configuration
|
||||
files such as the \fIdictionary\fP and the \fIusers\fP files.
|
||||
+.IP "\-D \fIdictionary directory\fP"
|
||||
+Set main dictionary directory. Defaults to \fI/usr/share/freeradius\fP.
|
||||
.IP \-f
|
||||
Do not fork, stay running as a foreground process.
|
||||
.IP \-h
|
||||
@@ -84,6 +89,8 @@ When this command-line option is given, all "listen" sections in
|
||||
\fIradiusd.conf\fP are ignored.
|
||||
|
||||
This option MUST be used in conjunction with "-i".
|
||||
+.IP "\-P
|
||||
+Always write out PID, even with -f.
|
||||
.IP \-s
|
||||
Run in "single server" mode. The server normally runs with multiple
|
||||
threads and/or processes, which can lower its response time to
|
||||
diff --git a/man/man8/radmin.8 b/man/man8/radmin.8
|
||||
index 5ecc963d81..5bf661fa71 100644
|
||||
--- a/man/man8/radmin.8
|
||||
+++ b/man/man8/radmin.8
|
||||
@@ -5,6 +5,8 @@ radmin - FreeRADIUS Administration tool
|
||||
.B radmin
|
||||
.RB [ \-d
|
||||
.IR config_directory ]
|
||||
+.RB [ \-D
|
||||
+.IR dictionary_directory ]
|
||||
.RB [ \-e
|
||||
.IR command ]
|
||||
.RB [ \-E ]
|
||||
@@ -34,6 +36,8 @@ The following command-line options are accepted by the program.
|
||||
Defaults to \fI/etc/raddb\fP. \fBradmin\fP looks here for the server
|
||||
configuration files to find the "listen" section that defines the
|
||||
control socket filename.
|
||||
+.IP "\-D \fIdictionary directory\fP"
|
||||
+Set main dictionary directory. Defaults to \fI/usr/share/freeradius\fP.
|
||||
.IP "\-e \fIcommand\fP"
|
||||
Run \fIcommand\fP and exit.
|
||||
.IP \-E
|
||||
--
|
||||
2.18.0
|
||||
|
@ -12,24 +12,24 @@ diff --git a/raddb/mods-available/eap b/raddb/mods-available/eap
|
||||
index 2621e183c..94494b2c6 100644
|
||||
--- a/raddb/mods-available/eap
|
||||
+++ b/raddb/mods-available/eap
|
||||
@@ -472,7 +472,7 @@ eap {
|
||||
#
|
||||
@@ -533,7 +533,7 @@
|
||||
# You should also delete all of the files
|
||||
# in the directory when the server starts.
|
||||
#
|
||||
- # tmpdir = /tmp/radiusd
|
||||
+ # tmpdir = /var/run/radiusd/tmp
|
||||
|
||||
# The command used to verify the client cert.
|
||||
# We recommend using the OpenSSL command-line
|
||||
@@ -486,7 +486,7 @@ eap {
|
||||
# in PEM format. This file is automatically
|
||||
@@ -548,7 +548,7 @@
|
||||
# deleted by the server when the command
|
||||
# returns.
|
||||
#
|
||||
- # client = "/path/to/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}"
|
||||
+ # client = "/usr/bin/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}"
|
||||
}
|
||||
|
||||
#
|
||||
# OCSP Configuration
|
||||
diff --git a/raddb/radiusd.conf.in b/raddb/radiusd.conf.in
|
||||
index a83c1f687..e500cf97b 100644
|
||||
--- a/raddb/radiusd.conf.in
|
||||
|
@ -1,45 +0,0 @@
|
||||
diff --git a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
|
||||
index 7f91e4b230..848ca2055e 100644
|
||||
--- a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
|
||||
+++ b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
|
||||
@@ -373,11 +373,26 @@ int process_peer_commit (pwd_session_t *session, uint8_t *in, size_t in_len, BN_
|
||||
data_len = BN_num_bytes(session->order);
|
||||
BN_bin2bn(ptr, data_len, session->peer_scalar);
|
||||
|
||||
+ /* validate received scalar */
|
||||
+ if (BN_is_zero(session->peer_scalar) ||
|
||||
+ BN_is_one(session->peer_scalar) ||
|
||||
+ BN_cmp(session->peer_scalar, session->order) >= 0) {
|
||||
+ ERROR("Peer's scalar is not within the allowed range");
|
||||
+ goto finish;
|
||||
+ }
|
||||
+
|
||||
if (!EC_POINT_set_affine_coordinates_GFp(session->group, session->peer_element, x, y, bnctx)) {
|
||||
DEBUG2("pwd: unable to get coordinates of peer's element");
|
||||
goto finish;
|
||||
}
|
||||
|
||||
+ /* validate received element */
|
||||
+ if (!EC_POINT_is_on_curve(session->group, session->peer_element, bnctx) ||
|
||||
+ EC_POINT_is_at_infinity(session->group, session->peer_element)) {
|
||||
+ ERROR("Peer's element is not a point on the elliptic curve");
|
||||
+ goto finish;
|
||||
+ }
|
||||
+
|
||||
/* check to ensure peer's element is not in a small sub-group */
|
||||
if (BN_cmp(cofactor, BN_value_one())) {
|
||||
if (!EC_POINT_mul(session->group, point, NULL, session->peer_element, cofactor, NULL)) {
|
||||
@@ -391,6 +406,13 @@ int process_peer_commit (pwd_session_t *session, uint8_t *in, size_t in_len, BN_
|
||||
}
|
||||
}
|
||||
|
||||
+ /* detect reflection attacks */
|
||||
+ if (BN_cmp(session->peer_scalar, session->my_scalar) == 0 ||
|
||||
+ EC_POINT_cmp(session->group, session->peer_element, session->my_element, bnctx) == 0) {
|
||||
+ ERROR("Reflection attack detected");
|
||||
+ goto finish;
|
||||
+ }
|
||||
+
|
||||
/* compute the shared key, k */
|
||||
if ((!EC_POINT_mul(session->group, K, NULL, session->pwe, session->peer_scalar, bnctx)) ||
|
||||
(!EC_POINT_add(session->group, K, K, session->peer_element, bnctx)) ||
|
@ -1,38 +0,0 @@
|
||||
From 3ea2a5a026e73d81cd9a3e9bbd4300c433004bfa Mon Sep 17 00:00:00 2001
|
||||
From: Mathy Vanhoef <mathy.vanhoef@nyu.edu>
|
||||
Date: Wed, 5 Jun 2019 19:21:06 +0000
|
||||
Subject: [PATCH] EAP-pwd: fix side-channel leak where 1 in 2018 handshakes
|
||||
fail
|
||||
|
||||
Previously the Hunting and Pecking algorithm of EAP-pwd aborted when
|
||||
more than 10 iterations are needed. Every iteration has a 50% chance
|
||||
of finding the password element. This means one in every 2048 handshakes
|
||||
will fail, in which case an error frame is sent to the client. This
|
||||
event leaks information that can be abused in an offline password
|
||||
brute-force attack. More precisely, the adversary learns that all 10
|
||||
iterations failed for the given random EAP-pwd token. Using the same
|
||||
techniques as in the Dragonblood attack, this can be used to brute-force
|
||||
the password.
|
||||
|
||||
This patch fixes the above issue by executing enough iterations such that
|
||||
the password element is always found eventually.
|
||||
|
||||
Note that timing and cache leaks remain a risk against the current
|
||||
implementation of EAP-pwd.
|
||||
---
|
||||
src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
|
||||
index c54f08c030..d94851c3aa 100644
|
||||
--- a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
|
||||
+++ b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
|
||||
@@ -192,7 +192,7 @@ int compute_password_element (pwd_session_t *session, uint16_t grp_num,
|
||||
}
|
||||
ctr = 0;
|
||||
while (1) {
|
||||
- if (ctr > 10) {
|
||||
+ if (ctr > 100) {
|
||||
DEBUG("unable to find random point on curve for group %d, something's fishy", grp_num);
|
||||
goto fail;
|
||||
}
|
@ -1,68 +0,0 @@
|
||||
From b93796b1890b35a0922bfba9cd08e8a1a5f956cf Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Scheel <ascheel@redhat.com>
|
||||
Date: Fri, 28 Sep 2018 09:54:46 -0400
|
||||
Subject: [PATCH 1/2] Replace HMAC-MD5 implementation with OpenSSL's
|
||||
|
||||
If OpenSSL EVP is not found, fallback to internal implementation of
|
||||
HMAC-MD5.
|
||||
|
||||
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
|
||||
---
|
||||
src/lib/hmacmd5.c | 34 +++++++++++++++++++++++++++++++++-
|
||||
1 file changed, 33 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/lib/hmacmd5.c b/src/lib/hmacmd5.c
|
||||
index 2c662ff368..1cca00fa2a 100644
|
||||
--- a/src/lib/hmacmd5.c
|
||||
+++ b/src/lib/hmacmd5.c
|
||||
@@ -27,10 +27,41 @@
|
||||
|
||||
RCSID("$Id: 2c662ff368e46556edd2cfdf408bd0fca0ab5f18 $")
|
||||
|
||||
+#ifdef HAVE_OPENSSL_EVP_H
|
||||
+#include <openssl/hmac.h>
|
||||
+#include <openssl/evp.h>
|
||||
+#endif
|
||||
+
|
||||
#include <freeradius-devel/libradius.h>
|
||||
#include <freeradius-devel/md5.h>
|
||||
|
||||
-/** Calculate HMAC using MD5
|
||||
+#ifdef HAVE_OPENSSL_EVP_H
|
||||
+/** Calculate HMAC using OpenSSL's MD5 implementation
|
||||
+ *
|
||||
+ * @param digest Caller digest to be filled in.
|
||||
+ * @param text Pointer to data stream.
|
||||
+ * @param text_len length of data stream.
|
||||
+ * @param key Pointer to authentication key.
|
||||
+ * @param key_len Length of authentication key.
|
||||
+ *
|
||||
+ */
|
||||
+void fr_hmac_md5(uint8_t digest[MD5_DIGEST_LENGTH], uint8_t const *text, size_t text_len,
|
||||
+ uint8_t const *key, size_t key_len)
|
||||
+{
|
||||
+ HMAC_CTX *ctx = HMAC_CTX_new();
|
||||
+
|
||||
+#ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW
|
||||
+ /* Since MD5 is not allowed by FIPS, explicitly allow it. */
|
||||
+ HMAC_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
|
||||
+#endif /* EVP_MD_CTX_FLAG_NON_FIPS_ALLOW */
|
||||
+
|
||||
+ HMAC_Init_ex(ctx, key, key_len, EVP_md5(), NULL);
|
||||
+ HMAC_Update(ctx, text, text_len);
|
||||
+ HMAC_Final(ctx, digest, NULL);
|
||||
+ HMAC_CTX_free(ctx);
|
||||
+}
|
||||
+#else
|
||||
+/** Calculate HMAC using internal MD5 implementation
|
||||
*
|
||||
* @param digest Caller digest to be filled in.
|
||||
* @param text Pointer to data stream.
|
||||
@@ -101,6 +132,7 @@
|
||||
* hash */
|
||||
fr_md5_final(digest, &context); /* finish up 2nd pass */
|
||||
}
|
||||
+#endif /* HAVE_OPENSSL_EVP_H */
|
||||
|
||||
/*
|
||||
Test Vectors (Trailing '\0' of a character string not included in test):
|
@ -1,73 +0,0 @@
|
||||
From 91f663ce1b46ecd99399023ad539f158419272e7 Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Scheel <ascheel@redhat.com>
|
||||
Date: Fri, 28 Sep 2018 11:03:52 -0400
|
||||
Subject: [PATCH 2/2] Replace HMAC-SHA1 implementation with OpenSSL's
|
||||
|
||||
If OpenSSL EVP is not found, fallback to internal implementation of
|
||||
HMAC-SHA1.
|
||||
|
||||
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
|
||||
---
|
||||
src/lib/hmacsha1.c | 29 ++++++++++++++++++++++++++++-
|
||||
1 file changed, 28 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/lib/hmacsha1.c b/src/lib/hmacsha1.c
|
||||
index c3cbd87a2c..211470ea35 100644
|
||||
--- a/src/lib/hmacsha1.c
|
||||
+++ b/src/lib/hmacsha1.c
|
||||
@@ -10,13 +10,19 @@
|
||||
|
||||
RCSID("$Id: c3cbd87a2c13c47da93fdb1bdfbf6da4c22aaac5 $")
|
||||
|
||||
+#ifdef HAVE_OPENSSL_EVP_H
|
||||
+#include <openssl/hmac.h>
|
||||
+#include <openssl/evp.h>
|
||||
+#endif
|
||||
+
|
||||
#include <freeradius-devel/libradius.h>
|
||||
|
||||
#ifdef HMAC_SHA1_DATA_PROBLEMS
|
||||
unsigned int sha1_data_problems = 0;
|
||||
#endif
|
||||
|
||||
-/** Calculate HMAC using SHA1
|
||||
+#ifdef HAVE_OPENSSL_EVP_H
|
||||
+/** Calculate HMAC using OpenSSL's SHA1 implementation
|
||||
*
|
||||
* @param digest Caller digest to be filled in.
|
||||
* @param text Pointer to data stream.
|
||||
@@ -28,6 +34,26 @@
|
||||
void fr_hmac_sha1(uint8_t digest[SHA1_DIGEST_LENGTH], uint8_t const *text, size_t text_len,
|
||||
uint8_t const *key, size_t key_len)
|
||||
{
|
||||
+ HMAC_CTX *ctx = HMAC_CTX_new();
|
||||
+ HMAC_Init_ex(ctx, key, key_len, EVP_sha1(), NULL);
|
||||
+ HMAC_Update(ctx, text, text_len);
|
||||
+ HMAC_Final(ctx, digest, NULL);
|
||||
+ HMAC_CTX_free(ctx);
|
||||
+}
|
||||
+
|
||||
+#else
|
||||
+
|
||||
+/** Calculate HMAC using internal SHA1 implementation
|
||||
+ *
|
||||
+ * @param digest Caller digest to be filled in.
|
||||
+ * @param text Pointer to data stream.
|
||||
+ * @param text_len length of data stream.
|
||||
+ * @param key Pointer to authentication key.
|
||||
+ * @param key_len Length of authentication key.
|
||||
+ */
|
||||
+void fr_hmac_sha1(uint8_t digest[SHA1_DIGEST_LENGTH], uint8_t const *text, size_t text_len,
|
||||
+ uint8_t const *key, size_t key_len)
|
||||
+{
|
||||
fr_sha1_ctx context;
|
||||
uint8_t k_ipad[65]; /* inner padding - key XORd with ipad */
|
||||
uint8_t k_opad[65]; /* outer padding - key XORd with opad */
|
||||
@@ -142,6 +168,7 @@
|
||||
}
|
||||
#endif
|
||||
}
|
||||
+#endif /* HAVE_OPENSSL_EVP_H */
|
||||
|
||||
/*
|
||||
Test Vectors (Trailing '\0' of a character string not included in test):
|
@ -1,20 +1,21 @@
|
||||
From d78bf5ab1f5c8102b2b6051cfb1198488be9597d Mon Sep 17 00:00:00 2001
|
||||
From: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
|
||||
Date: Mon, 26 Sep 2016 19:48:36 +0300
|
||||
Subject: [PATCH] Use system crypto policy by default
|
||||
From a7ed62fbcc043a9ec7a4f09962a2cd2acffa019b Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Scheel <ascheel@redhat.com>
|
||||
Date: Wed, 8 May 2019 10:16:31 -0400
|
||||
Subject: [PATCH] Use system-provided crypto-policies by default
|
||||
|
||||
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
|
||||
---
|
||||
raddb/mods-available/eap | 2 +-
|
||||
raddb/mods-available/eap | 4 ++--
|
||||
raddb/mods-available/inner-eap | 2 +-
|
||||
raddb/sites-available/abfab-tls | 2 +-
|
||||
raddb/sites-available/tls | 4 ++--
|
||||
4 files changed, 5 insertions(+), 5 deletions(-)
|
||||
4 files changed, 6 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/raddb/mods-available/eap b/raddb/mods-available/eap
|
||||
index 94494b2c6..9a8dc9327 100644
|
||||
index 36849e10f2..b28c0f19c6 100644
|
||||
--- a/raddb/mods-available/eap
|
||||
+++ b/raddb/mods-available/eap
|
||||
@@ -323,7 +323,7 @@ eap {
|
||||
@@ -368,7 +368,7 @@ eap {
|
||||
#
|
||||
# For EAP-FAST, use "ALL:!EXPORT:!eNULL:!SSLv2"
|
||||
#
|
||||
@ -23,11 +24,20 @@ index 94494b2c6..9a8dc9327 100644
|
||||
|
||||
# If enabled, OpenSSL will use server cipher list
|
||||
# (possibly defined by cipher_list option above)
|
||||
@@ -912,7 +912,7 @@ eap {
|
||||
# Note - for OpenSSL 1.1.0 and above you may need
|
||||
# to add ":@SECLEVEL=0"
|
||||
#
|
||||
- # cipher_list = "ALL:!EXPORT:!eNULL:!SSLv2"
|
||||
+ # cipher_list = "PROFILE=SYSTEM"
|
||||
|
||||
# PAC lifetime in seconds (default: seven days)
|
||||
#
|
||||
diff --git a/raddb/mods-available/inner-eap b/raddb/mods-available/inner-eap
|
||||
index 2b4df6267..af9aa88cd 100644
|
||||
index 576eb7739e..ffa07188e2 100644
|
||||
--- a/raddb/mods-available/inner-eap
|
||||
+++ b/raddb/mods-available/inner-eap
|
||||
@@ -68,7 +68,7 @@ eap inner-eap {
|
||||
@@ -77,7 +77,7 @@ eap inner-eap {
|
||||
# certificates. If so, edit this file.
|
||||
ca_file = ${cadir}/ca.pem
|
||||
|
||||
@ -37,7 +47,7 @@ index 2b4df6267..af9aa88cd 100644
|
||||
# You may want to set a very small fragment size.
|
||||
# The TLS data here needs to go inside of the
|
||||
diff --git a/raddb/sites-available/abfab-tls b/raddb/sites-available/abfab-tls
|
||||
index 5dbe143da..46b5fea78 100644
|
||||
index 92f1d6330e..cd69b3905a 100644
|
||||
--- a/raddb/sites-available/abfab-tls
|
||||
+++ b/raddb/sites-available/abfab-tls
|
||||
@@ -19,7 +19,7 @@ listen {
|
||||
@ -50,10 +60,10 @@ index 5dbe143da..46b5fea78 100644
|
||||
cache {
|
||||
enable = no
|
||||
diff --git a/raddb/sites-available/tls b/raddb/sites-available/tls
|
||||
index cf1cd7a8a..7dd59cb6f 100644
|
||||
index bbc761b1c5..83cd35b851 100644
|
||||
--- a/raddb/sites-available/tls
|
||||
+++ b/raddb/sites-available/tls
|
||||
@@ -197,7 +197,7 @@ listen {
|
||||
@@ -215,7 +215,7 @@ listen {
|
||||
# Set this option to specify the allowed
|
||||
# TLS cipher suites. The format is listed
|
||||
# in "man 1 ciphers".
|
||||
@ -62,7 +72,7 @@ index cf1cd7a8a..7dd59cb6f 100644
|
||||
|
||||
# If enabled, OpenSSL will use server cipher list
|
||||
# (possibly defined by cipher_list option above)
|
||||
@@ -499,7 +499,7 @@ home_server tls {
|
||||
@@ -517,7 +517,7 @@ home_server tls {
|
||||
# Set this option to specify the allowed
|
||||
# TLS cipher suites. The format is listed
|
||||
# in "man 1 ciphers".
|
||||
@ -72,5 +82,5 @@ index cf1cd7a8a..7dd59cb6f 100644
|
||||
|
||||
}
|
||||
--
|
||||
2.13.2
|
||||
2.21.0
|
||||
|
||||
|
91
SOURCES/freeradius-bootstrap-create-only.patch
Normal file
91
SOURCES/freeradius-bootstrap-create-only.patch
Normal file
@ -0,0 +1,91 @@
|
||||
From 3f40655ad0708b74a4a41b13c2b21995b157c14d Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Scheel <ascheel@redhat.com>
|
||||
Date: Wed, 5 Aug 2020 15:53:45 -0400
|
||||
Subject: [PATCH] Don't clobber existing files on bootstrap
|
||||
|
||||
Rebased: v3.0.20
|
||||
|
||||
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
|
||||
---
|
||||
raddb/certs/bootstrap | 35 +++++++++++++++++++----------------
|
||||
1 file changed, 19 insertions(+), 16 deletions(-)
|
||||
|
||||
diff --git a/raddb/certs/bootstrap b/raddb/certs/bootstrap
|
||||
index 0f719aa..336a2bd 100755
|
||||
--- a/raddb/certs/bootstrap
|
||||
+++ b/raddb/certs/bootstrap
|
||||
@@ -31,52 +31,55 @@ fi
|
||||
# Don't edit the following text. Instead, edit the Makefile, and
|
||||
# re-generate these commands.
|
||||
#
|
||||
-if [ ! -f dh ]; then
|
||||
+if [ ! -e dh ]; then
|
||||
openssl dhparam -out dh 2048 || exit 1
|
||||
- if [ -e /dev/urandom ] ; then
|
||||
- ln -sf /dev/urandom random
|
||||
- else
|
||||
- date > ./random;
|
||||
- fi
|
||||
+ ln -sf /dev/urandom random
|
||||
fi
|
||||
|
||||
-if [ ! -f server.key ]; then
|
||||
+if [ ! -e server.key ]; then
|
||||
openssl req -new -out server.csr -keyout server.key -config ./server.cnf || exit 1
|
||||
+ chmod g+r server.key
|
||||
fi
|
||||
|
||||
-if [ ! -f ca.key ]; then
|
||||
+if [ ! -e ca.key ]; then
|
||||
openssl req -new -x509 -keyout ca.key -out ca.pem -days `grep default_days ca.cnf | sed 's/.*=//;s/^ *//'` -config ./ca.cnf || exit 1
|
||||
fi
|
||||
|
||||
-if [ ! -f index.txt ]; then
|
||||
+if [ ! -e index.txt ]; then
|
||||
touch index.txt
|
||||
fi
|
||||
|
||||
-if [ ! -f serial ]; then
|
||||
+if [ ! -e serial ]; then
|
||||
echo '01' > serial
|
||||
fi
|
||||
|
||||
-if [ ! -f server.crt ]; then
|
||||
+if [ ! -e server.crt ]; then
|
||||
openssl ca -batch -keyfile ca.key -cert ca.pem -in server.csr -key `grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out server.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf || exit 1
|
||||
fi
|
||||
|
||||
-if [ ! -f server.p12 ]; then
|
||||
+if [ ! -e server.p12 ]; then
|
||||
openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` || exit 1
|
||||
+ chmod g+r server.p12
|
||||
fi
|
||||
|
||||
-if [ ! -f server.pem ]; then
|
||||
+if [ ! -e server.pem ]; then
|
||||
openssl pkcs12 -in server.p12 -out server.pem -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` || exit 1
|
||||
openssl verify -CAfile ca.pem server.pem || exit 1
|
||||
+ chmod g+r server.pem
|
||||
fi
|
||||
|
||||
-if [ ! -f ca.der ]; then
|
||||
+if [ ! -e ca.der ]; then
|
||||
openssl x509 -inform PEM -outform DER -in ca.pem -out ca.der || exit 1
|
||||
fi
|
||||
|
||||
-if [ ! -f client.key ]; then
|
||||
+if [ ! -e client.key ]; then
|
||||
openssl req -new -out client.csr -keyout client.key -config ./client.cnf
|
||||
+ chmod g+r client.key
|
||||
fi
|
||||
|
||||
-if [ ! -f client.crt ]; then
|
||||
+if [ ! -e client.crt ]; then
|
||||
openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key `grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf
|
||||
fi
|
||||
+
|
||||
+chown root:radiusd dh ca.* client.* server.*
|
||||
+chmod 640 dh ca.* client.* server.*
|
||||
--
|
||||
2.26.2
|
||||
|
52
SOURCES/freeradius-bootstrap-fixed-dhparam.patch
Normal file
52
SOURCES/freeradius-bootstrap-fixed-dhparam.patch
Normal file
@ -0,0 +1,52 @@
|
||||
From b31f1ab9a0e1c010037d2d660e3ce4ea7eb07d6c Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Scheel <ascheel@redhat.com>
|
||||
Date: Wed, 5 Aug 2020 16:10:52 -0400
|
||||
Subject: [PATCH] Use fixed FIPS-approved dhparam by default
|
||||
|
||||
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
|
||||
---
|
||||
raddb/certs/Makefile | 2 +-
|
||||
raddb/certs/bootstrap | 7 +++++--
|
||||
2 files changed, 6 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/raddb/certs/Makefile b/raddb/certs/Makefile
|
||||
index 5cbfd46..41b7aea 100644
|
||||
--- a/raddb/certs/Makefile
|
||||
+++ b/raddb/certs/Makefile
|
||||
@@ -59,7 +59,7 @@ passwords.mk: server.cnf ca.cnf client.cnf inner-server.cnf
|
||||
#
|
||||
######################################################################
|
||||
dh:
|
||||
- $(OPENSSL) dhparam -out dh -2 $(DH_KEY_SIZE)
|
||||
+ cp rfc3526-group-18-8192.dhparam dh
|
||||
|
||||
######################################################################
|
||||
#
|
||||
diff --git a/raddb/certs/bootstrap b/raddb/certs/bootstrap
|
||||
index 9920ecf..59b3310 100755
|
||||
--- a/raddb/certs/bootstrap
|
||||
+++ b/raddb/certs/bootstrap
|
||||
@@ -13,6 +13,10 @@
|
||||
umask 027
|
||||
cd `dirname $0`
|
||||
|
||||
+if [ ! -e random ]; then
|
||||
+ ln -sf /dev/urandom random
|
||||
+fi
|
||||
+
|
||||
make -h > /dev/null 2>&1
|
||||
|
||||
#
|
||||
@@ -35,8 +39,7 @@ fi
|
||||
# re-generate these commands.
|
||||
#
|
||||
if [ ! -e dh ]; then
|
||||
- openssl dhparam -out dh 2048 || exit 1
|
||||
- ln -sf /dev/urandom random
|
||||
+ cp rfc3526-group-18-8192.dhparam dh
|
||||
fi
|
||||
|
||||
if [ ! -e server.key ]; then
|
||||
--
|
||||
2.26.2
|
||||
|
29
SOURCES/freeradius-bootstrap-make-permissions.patch
Normal file
29
SOURCES/freeradius-bootstrap-make-permissions.patch
Normal file
@ -0,0 +1,29 @@
|
||||
From ea164ceafa05f96079204a3f0ae379e46e64a455 Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Scheel <ascheel@redhat.com>
|
||||
Date: Tue, 4 Aug 2020 10:08:15 -0400
|
||||
Subject: [PATCH] Fix permissions after generating certificates with make
|
||||
|
||||
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
|
||||
---
|
||||
raddb/certs/bootstrap | 5 ++++-
|
||||
1 file changed, 4 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/raddb/certs/bootstrap b/raddb/certs/bootstrap
|
||||
index 336a2bd..9920ecf 100755
|
||||
--- a/raddb/certs/bootstrap
|
||||
+++ b/raddb/certs/bootstrap
|
||||
@@ -21,7 +21,10 @@ make -h > /dev/null 2>&1
|
||||
#
|
||||
if [ "$?" = "0" ]; then
|
||||
make all
|
||||
- exit $?
|
||||
+ ret=$?
|
||||
+ chown root:radiusd dh ca.* client.* server.*
|
||||
+ chmod 640 dh ca.* client.* server.*
|
||||
+ exit $ret
|
||||
fi
|
||||
|
||||
#
|
||||
--
|
||||
2.26.2
|
||||
|
1955
SOURCES/freeradius-fixes-to-python3-module-since-v3.0.20.patch
Normal file
1955
SOURCES/freeradius-fixes-to-python3-module-since-v3.0.20.patch
Normal file
File diff suppressed because it is too large
Load Diff
@ -1,42 +0,0 @@
|
||||
From 98510efd0e2930d8924b47009945a0fb1bd75a29 Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Scheel <ascheel@redhat.com>
|
||||
Date: Mon, 22 Apr 2019 14:38:19 -0400
|
||||
Subject: [PATCH] Allow listen.ipaddr to reference an IPv6-only host
|
||||
|
||||
In 5452b13cefa3b30f1da467ff5d68b3c1aa471188, these lines were added
|
||||
which effectively result in a listen.ipaddr only allowing hostnames to
|
||||
resolve to IPv4 addresses. With a hostname with only a IPv6 address,
|
||||
it'll bail with the error message:
|
||||
|
||||
radiusd: #### Opening IP addresses and Ports ####
|
||||
listen {
|
||||
type = "auth"
|
||||
Failed resolving "ipv6.cipherboy.com" to IPv4 address:
|
||||
Name or service not known
|
||||
|
||||
This directly contradicts the language in the default configuration
|
||||
file, so support resolving both IPv4-only and IPv6-only hostnames.
|
||||
|
||||
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
|
||||
---
|
||||
src/lib/misc.c | 7 -------
|
||||
1 file changed, 7 deletions(-)
|
||||
|
||||
diff --git a/src/lib/misc.c b/src/lib/misc.c
|
||||
index dff21e33f7..5520d8a0a4 100644
|
||||
--- a/src/lib/misc.c
|
||||
+++ b/src/lib/misc.c
|
||||
@@ -607,13 +607,6 @@ int fr_pton(fr_ipaddr_t *out, char const *value, ssize_t inlen, int af, bool res
|
||||
fr_strerror_printf("Invalid address");
|
||||
return -1;
|
||||
}
|
||||
-
|
||||
- /*
|
||||
- * Fall through to resolving the address, using
|
||||
- * whatever address family they prefer. If they
|
||||
- * don't specify an address family, force IPv4.
|
||||
- */
|
||||
- if (af == AF_UNSPEC) af = AF_INET;
|
||||
}
|
||||
|
||||
/*
|
@ -1,94 +0,0 @@
|
||||
From 285f6f1891e8e8acfeb7281136efdae50dbfbe78 Mon Sep 17 00:00:00 2001
|
||||
From: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
|
||||
Date: Fri, 14 Sep 2018 11:53:28 +0300
|
||||
Subject: [PATCH] man: Fix some typos
|
||||
|
||||
---
|
||||
man/man5/radrelay.conf.5 | 2 +-
|
||||
man/man5/rlm_files.5 | 2 +-
|
||||
man/man5/unlang.5 | 8 ++++----
|
||||
man/man8/radrelay.8 | 2 +-
|
||||
4 files changed, 7 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/man/man5/radrelay.conf.5 b/man/man5/radrelay.conf.5
|
||||
index 5fb38bfc4e..e3e665024b 100644
|
||||
--- a/man/man5/radrelay.conf.5
|
||||
+++ b/man/man5/radrelay.conf.5
|
||||
@@ -26,7 +26,7 @@ Many sites run multiple radius servers; at least one primary and one
|
||||
backup server. When the primary goes down, most NASes detect that and
|
||||
switch to the backup server.
|
||||
|
||||
-That will cause your accounting packets to go the the backup server -
|
||||
+That will cause your accounting packets to go to the backup server -
|
||||
and some NASes don't even switch back to the primary server when it
|
||||
comes back up.
|
||||
|
||||
diff --git a/man/man5/rlm_files.5 b/man/man5/rlm_files.5
|
||||
index bfee5030ff..52f4734ae3 100644
|
||||
--- a/man/man5/rlm_files.5
|
||||
+++ b/man/man5/rlm_files.5
|
||||
@@ -48,7 +48,7 @@ This configuration entry enables you to have configurations that
|
||||
perform per-group checks, and return per-group attributes, where the
|
||||
group membership is dynamically defined by a previous module. It also
|
||||
lets you do things like key off of attributes in the reply, and
|
||||
-express policies like like "when I send replies containing attribute
|
||||
+express policies like "when I send replies containing attribute
|
||||
FOO with value BAR, do more checks, and maybe send additional
|
||||
attributes".
|
||||
.SH CONFIGURATION
|
||||
diff --git a/man/man5/unlang.5 b/man/man5/unlang.5
|
||||
index 76db8f2d1c..12fe7855b2 100644
|
||||
--- a/man/man5/unlang.5
|
||||
+++ b/man/man5/unlang.5
|
||||
@@ -36,7 +36,7 @@ the pre-defined keywords here.
|
||||
|
||||
Subject to a few limitations described below, any keyword can appear
|
||||
in any context. The language consists of a series of entries, each
|
||||
-one one line. Each entry begins with a keyword. Entries are
|
||||
+one line. Each entry begins with a keyword. Entries are
|
||||
organized into lists. Processing of the language is line by line,
|
||||
from the start of the list to the end. Actions are executed
|
||||
per-keyword.
|
||||
@@ -131,7 +131,7 @@ expanded as described in the DATA TYPES section, below. The match is
|
||||
then performed on the string returned from the expansion. If the
|
||||
argument is an attribute reference (e.g. &User-Name), then the match
|
||||
is performed on the value of that attribute. Otherwise, the argument
|
||||
-is taken to be a literal string, and and matching is done via simple
|
||||
+is taken to be a literal string, and matching is done via simple
|
||||
comparison.
|
||||
|
||||
No statement other than "case" can appear in a "switch" block.
|
||||
@@ -155,7 +155,7 @@ expanded as described in the DATA TYPES section, below. The match is
|
||||
then performed on the string returned from the expansion. If the
|
||||
argument is an attribute reference (e.g. &User-Name), then the match
|
||||
is performed on the value of that attribute. Otherwise, the argument
|
||||
-is taken to be a literal string, and and matching is done via simple
|
||||
+is taken to be a literal string, and matching is done via simple
|
||||
comparison.
|
||||
|
||||
.DS
|
||||
@@ -799,7 +799,7 @@ regular expression. If no attribute matches, nothing else is done.
|
||||
The value can be an attribute reference, or an attribute-specific
|
||||
string.
|
||||
|
||||
-When the value is an an attribute reference, it must take the form of
|
||||
+When the value is an attribute reference, it must take the form of
|
||||
"&Attribute-Name". The leading "&" signifies that the value is a
|
||||
reference. The "Attribute-Name" is an attribute name, such as
|
||||
"User-Name" or "request:User-Name". When an attribute reference is
|
||||
diff --git a/man/man8/radrelay.8 b/man/man8/radrelay.8
|
||||
index fdba6995d5..99e65732a2 100644
|
||||
--- a/man/man8/radrelay.8
|
||||
+++ b/man/man8/radrelay.8
|
||||
@@ -13,7 +13,7 @@ Many sites run multiple radius servers; at least one primary and one
|
||||
backup server. When the primary goes down, most NASes detect that and
|
||||
switch to the backup server.
|
||||
|
||||
-That will cause your accounting packets to go the the backup server -
|
||||
+That will cause your accounting packets to go to the backup server -
|
||||
and some NASes don't even switch back to the primary server when it
|
||||
comes back up.
|
||||
|
||||
--
|
||||
2.18.0
|
||||
|
104
SOURCES/freeradius-no-buildtime-cert-gen.patch
Normal file
104
SOURCES/freeradius-no-buildtime-cert-gen.patch
Normal file
@ -0,0 +1,104 @@
|
||||
From e6f7c9d4c2af1cda7760ca8155166bb5d4d541d0 Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Scheel <ascheel@redhat.com>
|
||||
Date: Wed, 8 May 2019 12:58:02 -0400
|
||||
Subject: [PATCH] Don't generate certificates in reproducible builds
|
||||
|
||||
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
|
||||
---
|
||||
Make.inc.in | 5 +++++
|
||||
configure | 4 ++++
|
||||
configure.ac | 3 +++
|
||||
raddb/all.mk | 4 ++++
|
||||
4 files changed, 16 insertions(+)
|
||||
|
||||
diff --git a/Make.inc.in b/Make.inc.in
|
||||
index 0b2cd74de8..8c623cf95c 100644
|
||||
--- a/Make.inc.in
|
||||
+++ b/Make.inc.in
|
||||
@@ -173,3 +173,8 @@ else
|
||||
TESTBINDIR = ./$(BUILD_DIR)/bin
|
||||
TESTBIN = ./$(BUILD_DIR)/bin
|
||||
endif
|
||||
+
|
||||
+#
|
||||
+# With reproducible builds, do not generate certificates during installation
|
||||
+#
|
||||
+ENABLE_REPRODUCIBLE_BUILDS = @ENABLE_REPRODUCIBLE_BUILDS@
|
||||
diff --git a/configure b/configure
|
||||
index c2c599c92b..3d4403a844 100755
|
||||
--- a/configure
|
||||
+++ b/configure
|
||||
@@ -655,6 +655,7 @@ RUSERS
|
||||
SNMPWALK
|
||||
SNMPGET
|
||||
PERL
|
||||
+ENABLE_REPRODUCIBLE_BUILDS
|
||||
openssl_version_check_config
|
||||
WITH_DHCP
|
||||
modconfdir
|
||||
@@ -5586,6 +5587,7 @@ else
|
||||
fi
|
||||
|
||||
|
||||
+ENABLE_REPRODUCIBLE_BUILDS=yes
|
||||
# Check whether --enable-reproducible-builds was given.
|
||||
if test "${enable_reproducible_builds+set}" = set; then :
|
||||
enableval=$enable_reproducible_builds; case "$enableval" in
|
||||
@@ -5597,6 +5599,7 @@ $as_echo "#define ENABLE_REPRODUCIBLE_BUILDS 1" >>confdefs.h
|
||||
;;
|
||||
*)
|
||||
reproducible_builds=no
|
||||
+ ENABLE_REPRODUCIBLE_BUILDS=no
|
||||
esac
|
||||
|
||||
fi
|
||||
@@ -5604,6 +5607,7 @@ fi
|
||||
|
||||
|
||||
|
||||
+
|
||||
CHECKRAD=checkrad
|
||||
# Extract the first word of "perl", so it can be a program name with args.
|
||||
set dummy perl; ac_word=$2
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index a7abf0025a..35b013f4af 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -619,6 +619,7 @@ AC_SUBST([openssl_version_check_config])
|
||||
dnl #
|
||||
dnl # extra argument: --enable-reproducible-builds
|
||||
dnl #
|
||||
+ENABLE_REPRODUCIBLE_BUILDS=yes
|
||||
AC_ARG_ENABLE(reproducible-builds,
|
||||
[AS_HELP_STRING([--enable-reproducible-builds],
|
||||
[ensure the build does not change each time])],
|
||||
@@ -630,8 +631,10 @@ AC_ARG_ENABLE(reproducible-builds,
|
||||
;;
|
||||
*)
|
||||
reproducible_builds=no
|
||||
+ ENABLE_REPRODUCIBLE_BUILDS=no
|
||||
esac ]
|
||||
)
|
||||
+AC_SUBST(ENABLE_REPRODUCIBLE_BUILDS)
|
||||
|
||||
|
||||
dnl #############################################################
|
||||
diff --git a/raddb/all.mk b/raddb/all.mk
|
||||
index c966edd657..c8e976a499 100644
|
||||
--- a/raddb/all.mk
|
||||
+++ b/raddb/all.mk
|
||||
@@ -124,7 +124,11 @@ $(R)$(raddbdir)/users: $(R)$(modconfdir)/files/authorize
|
||||
ifneq "$(LOCAL_CERT_PRODUCTS)" ""
|
||||
$(LOCAL_CERT_PRODUCTS):
|
||||
@echo BOOTSTRAP raddb/certs/
|
||||
+ifeq "$(ENABLE_REPRODUCIBLE_BUILDS)" "yes"
|
||||
+ @$(MAKE) -C $(R)$(raddbdir)/certs/ passwords.mk
|
||||
+else
|
||||
@$(MAKE) -C $(R)$(raddbdir)/certs/
|
||||
+endif
|
||||
|
||||
# Bootstrap is special
|
||||
$(R)$(raddbdir)/certs/bootstrap: | raddb/certs/bootstrap $(LOCAL_CERT_PRODUCTS)
|
||||
--
|
||||
2.21.0
|
||||
|
45
SOURCES/freeradius-no-dh-param-load-FIPS.patch
Normal file
45
SOURCES/freeradius-no-dh-param-load-FIPS.patch
Normal file
@ -0,0 +1,45 @@
|
||||
From 42693cba452efa00a4848beb1514229149520cc1 Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Scheel <ascheel@redhat.com>
|
||||
Date: Wed, 5 Aug 2020 11:39:45 -0400
|
||||
Subject: [PATCH] Ignore user-provided dhparams in FIPS mode (#3554)
|
||||
|
||||
OpenSSL in RHEL 8.3 introduces a breaking change in FIPS mode:
|
||||
user-provided dhparams will be ignored (and dhparam generation
|
||||
may fail as well), unless they are on the FIPS approved list of
|
||||
parameters. However, OpenSSL since v1.1.1 will automatically select
|
||||
an appropriate DH parameter set anyways, if the user did not provide
|
||||
any. These will be FIPS approved.
|
||||
|
||||
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
|
||||
---
|
||||
src/main/tls.c | 17 +++++++++++++++++
|
||||
1 file changed, 17 insertions(+)
|
||||
|
||||
diff --git a/src/main/tls.c b/src/main/tls.c
|
||||
index 5809a1bd7d..5e6493333c 100644
|
||||
--- a/src/main/tls.c
|
||||
+++ b/src/main/tls.c
|
||||
@@ -1352,6 +1352,23 @@ static int load_dh_params(SSL_CTX *ctx, char *file)
|
||||
|
||||
if (!file) return 0;
|
||||
|
||||
+ /*
|
||||
+ * Prior to trying to load the file, check what OpenSSL will do with it.
|
||||
+ *
|
||||
+ * Certain downstreams (such as RHEL) will ignore user-provided dhparams
|
||||
+ * in FIPS mode, unless the specified parameters are FIPS-approved.
|
||||
+ * However, since OpenSSL >= 1.1.1 will automatically select parameters
|
||||
+ * anyways, there's no point in attempting to load them.
|
||||
+ *
|
||||
+ * Change suggested by @t8m
|
||||
+ */
|
||||
+#if OPENSSL_VERSION_NUMBER >= 0x10101000L
|
||||
+ if (FIPS_mode() > 0) {
|
||||
+ WARN(LOG_PREFIX ": Ignoring user-selected DH parameters in FIPS mode. Using defaults.");
|
||||
+ return 0;
|
||||
+ }
|
||||
+#endif
|
||||
+
|
||||
if ((bio = BIO_new_file(file, "r")) == NULL) {
|
||||
ERROR(LOG_PREFIX ": Unable to open DH file - %s", file);
|
||||
return -1;
|
@ -1,64 +0,0 @@
|
||||
From b8a6ac05977845851f02151ca35c3a51e88bd534 Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Scheel <ascheel@redhat.com>
|
||||
Date: Thu, 18 Oct 2018 12:40:53 -0400
|
||||
Subject: [PATCH] Clarify shebangs to be python2
|
||||
|
||||
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
|
||||
---
|
||||
scripts/radtee | 2 +-
|
||||
src/modules/rlm_python/example.py | 2 +-
|
||||
src/modules/rlm_python/prepaid.py | 2 +-
|
||||
src/modules/rlm_python/radiusd.py | 2 +-
|
||||
src/modules/rlm_python/radiusd_test.py | 2 +-
|
||||
5 files changed, 5 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/scripts/radtee b/scripts/radtee
|
||||
index 123769d244..78b4bcbe0b 100755
|
||||
--- a/scripts/radtee
|
||||
+++ b/scripts/radtee
|
||||
@@ -1,4 +1,4 @@
|
||||
-#!/usr/bin/env python
|
||||
+#!/usr/bin/env python2
|
||||
from __future__ import with_statement
|
||||
|
||||
# RADIUS comparison tee v1.0
|
||||
diff --git a/src/modules/rlm_python/example.py b/src/modules/rlm_python/example.py
|
||||
index 5950a07678..eaf456e349 100644
|
||||
--- a/src/modules/rlm_python/example.py
|
||||
+++ b/src/modules/rlm_python/example.py
|
||||
@@ -1,4 +1,4 @@
|
||||
-#! /usr/bin/env python
|
||||
+#! /usr/bin/env python2
|
||||
#
|
||||
# Python module example file
|
||||
# Miguel A.L. Paraz <mparaz@mparaz.com>
|
||||
diff --git a/src/modules/rlm_python/prepaid.py b/src/modules/rlm_python/prepaid.py
|
||||
index c3cbf57b8f..3b1dc2e2e8 100644
|
||||
--- a/src/modules/rlm_python/prepaid.py
|
||||
+++ b/src/modules/rlm_python/prepaid.py
|
||||
@@ -1,4 +1,4 @@
|
||||
-#! /usr/bin/env python
|
||||
+#! /usr/bin/env python2
|
||||
#
|
||||
# Example Python module for prepaid usage using MySQL
|
||||
|
||||
diff --git a/src/modules/rlm_python/radiusd.py b/src/modules/rlm_python/radiusd.py
|
||||
index c535bb3caf..7129923994 100644
|
||||
--- a/src/modules/rlm_python/radiusd.py
|
||||
+++ b/src/modules/rlm_python/radiusd.py
|
||||
@@ -1,4 +1,4 @@
|
||||
-#! /usr/bin/env python
|
||||
+#! /usr/bin/env python2
|
||||
#
|
||||
# Definitions for RADIUS programs
|
||||
#
|
||||
diff --git a/src/modules/rlm_python/radiusd_test.py b/src/modules/rlm_python/radiusd_test.py
|
||||
index 13b7128b29..97b5b64f08 100644
|
||||
--- a/src/modules/rlm_python/radiusd_test.py
|
||||
+++ b/src/modules/rlm_python/radiusd_test.py
|
||||
@@ -1,4 +1,4 @@
|
||||
-#! /usr/bin/env python
|
||||
+#! /usr/bin/env python2
|
||||
#
|
||||
# Python module test
|
||||
# Miguel A.L. Paraz <mparaz@mparaz.com>
|
@ -1 +1 @@
|
||||
D /var/run/radiusd 0710 radiusd radiusd -
|
||||
D /run/radiusd 0710 radiusd radiusd -
|
||||
|
@ -1,11 +1,12 @@
|
||||
[Unit]
|
||||
Description=FreeRADIUS high performance RADIUS server.
|
||||
After=syslog.target network-online.target ipa.service dirsrv.target krb5kdc.service
|
||||
After=syslog.target network-online.target ipa.service dirsrv.target krb5kdc.service mysql.service mariadb.service postgresql.service
|
||||
|
||||
[Service]
|
||||
Type=forking
|
||||
PIDFile=/var/run/radiusd/radiusd.pid
|
||||
ExecStartPre=-/bin/chown -R radiusd.radiusd /var/run/radiusd
|
||||
ExecStartPre=/bin/sh /etc/raddb/certs/bootstrap
|
||||
ExecStartPre=/usr/sbin/radiusd -C
|
||||
ExecStart=/usr/sbin/radiusd -d /etc/raddb
|
||||
ExecReload=/usr/sbin/radiusd -C
|
||||
|
24
SOURCES/rfc3526-group-18-8192.pem
Normal file
24
SOURCES/rfc3526-group-18-8192.pem
Normal file
@ -0,0 +1,24 @@
|
||||
-----BEGIN DH PARAMETERS-----
|
||||
MIIECAKCBAEA///////////JD9qiIWjCNMTGYouA3BzRKQJOCIpnzHQCC76mOxOb
|
||||
IlFKCHmONATd75UZs806QxswKwpt8l8UN0/hNW1tUcJF5IW1dmJefsb0TELppjft
|
||||
awv/XLb0Brft7jhr+1qJn6WunyQRfEsf5kkoZlHs5Fs9wgB8uKFjvwWY2kg2HFXT
|
||||
mmkWP6j9JM9fg2VdI9yjrZYcYvNWIIVSu57VKQdwlpZtZww1Tkq8mATxdGwIyhgh
|
||||
fDKQXkYuNs474553LBgOhgObJ4Oi7Aeij7XFXfBvTFLJ3ivL9pVYFxg5lUl86pVq
|
||||
5RXSJhiY+gUQFXKOWoqqxC2tMxcNBFB6M6hVIavfHLpk7PuFBFjb7wqK6nFXXQYM
|
||||
fbOXD4Wm4eTHq/WujNsJM9cejJTgSiVhnc7j0iYa0u5r8S/6BtmKCGTYdgJzPshq
|
||||
ZFIfKxgXeyAMu+EXV3phXWx3CYjAutlG4gjiT6B05asxQ9tb/OD9EI5LgtEgqSEI
|
||||
ARpyPBKnh+bXiHGaEL26WyaZwycYavTiPBqUaDS2FQvaJYPpyirUTOjbu8LbBN6O
|
||||
+S6O/BQfvsqmKHxZR05rwF2ZspZPoJDDoiM7oYZRW+ftH2EpcM7i16+4G912IXBI
|
||||
HNAGkSfVsFqpk7TqmI2P3cGG/7fckKbAj030Nck0AoSSNsP6tNJ8cCbB1NyyYCZG
|
||||
3sl1HnY9uje9+P+UBq2eUw7l2zgvQTABrrBqU+2QJ9gxF5cnsIZaiRjaPtvrz5sU
|
||||
7UTObLrO1Lsb238UR+bMJUszIFFRK9evQm+49AE3jNK/WYPKAcZLkuzwMuoV0XId
|
||||
A/SC185udP721V5wL0aYDIK1qEAxkAscnlnnyX++x+jzI6l6fjbMiL4PHUW3/1ha
|
||||
xUvUB7IrQVSqzI9tfr9I4dgUzF7SD4A34KeXFe7ym+MoBqHVi7fF2nb1UKo9ih+/
|
||||
8OsZzLGjE9Vc2lbJ7C7yljI4f+jXbjwEaAQ+j2Y/SGDuEr8tWwt0dNbmlPkebb4R
|
||||
WXSjkm8S/uXkOHd8tqky34zYvsTQc7kxujvIMraNndMAdB+nv4r8R+0ldvaTa6Qk
|
||||
ZjqrY5xa5PVoNCO0dCvxyXgjjxbL451lLeP9uL78hIrZIiIuBKQDfAcT61eoGiPw
|
||||
xzRz/GRs6jBrS8vIhi+Dhd36nUt/osCH6HloMwPtW906Bis89bOieKZtKhP4P0T4
|
||||
Ld8xDuB0q2o2RZfomaAlXcFk8xzFCEaFHfmrSBld7X6hsdUQvX7nTXP682vDHs+i
|
||||
aDWQRvTrh5+SQAlDi0gcbNeImgAu1e44K8kZDab8Am5HlVjkR1Z36aqeMFDidlaU
|
||||
38gfVuiAuW5xYMmA3Zjt09///////////wIBAg==
|
||||
-----END DH PARAMETERS-----
|
@ -8,8 +8,8 @@
|
||||
|
||||
Summary: High-performance and highly configurable free RADIUS server
|
||||
Name: freeradius
|
||||
Version: 3.0.17
|
||||
Release: 7%{?dist}
|
||||
Version: 3.0.20
|
||||
Release: 3%{?dist}
|
||||
License: GPLv2+ and LGPLv2+
|
||||
Group: System Environment/Daemons
|
||||
URL: http://www.freeradius.org/
|
||||
@ -28,18 +28,16 @@ Source100: radiusd.service
|
||||
Source102: freeradius-logrotate
|
||||
Source103: freeradius-pam-conf
|
||||
Source104: freeradius-tmpfiles.conf
|
||||
Source105: rfc3526-group-18-8192.pem
|
||||
|
||||
Patch1: freeradius-Adjust-configuration-to-fit-Red-Hat-specifics.patch
|
||||
Patch2: freeradius-Use-system-crypto-policy-by-default.patch
|
||||
Patch3: freeradius-man-Fix-some-typos.patch
|
||||
Patch4: freeradius-Add-missing-option-descriptions.patch
|
||||
Patch5: freeradius-OpenSSL-HMAC-MD5.patch
|
||||
Patch6: freeradius-OpenSSL-HMAC-SHA1.patch
|
||||
Patch7: freeradius-python2-shebangs.patch
|
||||
Patch8: freeradius-EAP-PWD-curve-handling.patch
|
||||
Patch9: freeradius-listen-ipv6-fix.patch
|
||||
Patch10: freeradius-EAP-PWD-information-leak-10-iterations.patch
|
||||
|
||||
Patch3: freeradius-bootstrap-create-only.patch
|
||||
Patch4: freeradius-no-buildtime-cert-gen.patch
|
||||
Patch5: freeradius-fixes-to-python3-module-since-v3.0.20.patch
|
||||
Patch6: freeradius-bootstrap-make-permissions.patch
|
||||
Patch7: freeradius-no-dh-param-load-FIPS.patch
|
||||
Patch8: freeradius-bootstrap-fixed-dhparam.patch
|
||||
|
||||
%global docdir %{?_pkgdocdir}%{!?_pkgdocdir:%{_docdir}/%{name}-%{version}}
|
||||
|
||||
@ -71,7 +69,7 @@ Requires(pre): shadow-utils glibc-common
|
||||
Requires(post): systemd-sysv
|
||||
Requires(post): systemd-units
|
||||
# Needed for certificate generation
|
||||
Requires(post): make
|
||||
Requires: make
|
||||
Requires(preun): systemd-units
|
||||
Requires(postun): systemd-units
|
||||
|
||||
@ -154,7 +152,7 @@ This plugin provides the Perl support for the FreeRADIUS server project.
|
||||
|
||||
%if %{with python2}
|
||||
%package -n python2-freeradius
|
||||
Summary: Python support for freeradius
|
||||
Summary: Python 2 support for freeradius
|
||||
Group: System Environment/Daemons
|
||||
Requires: %{name} = %{version}-%{release}
|
||||
BuildRequires: python2-devel
|
||||
@ -165,10 +163,19 @@ Provides: %{name}-python%{?_isa} = %{version}-%{release}
|
||||
Obsoletes: %{name}-python < %{version}-%{release}
|
||||
|
||||
%description -n python2-freeradius
|
||||
This plugin provides the Python support for the FreeRADIUS server project.
|
||||
This plugin provides the Python 2 support for the FreeRADIUS server project.
|
||||
# endif: with python2
|
||||
%endif
|
||||
|
||||
%package -n python3-freeradius
|
||||
Summary: Python 3 support for freeradius
|
||||
Requires: %{name} = %{version}-%{release}
|
||||
BuildRequires: python3-devel
|
||||
%{?python_provide:%python_provide python3-freeradius}
|
||||
|
||||
%description -n python3-freeradius
|
||||
This plugin provides the Python 3 support for the FreeRADIUS server project.
|
||||
|
||||
%package mysql
|
||||
Summary: MySQL support for freeradius
|
||||
Group: System Environment/Daemons
|
||||
@ -227,13 +234,22 @@ This plugin provides the REST support for the FreeRADIUS server project.
|
||||
%patch6 -p1
|
||||
%patch7 -p1
|
||||
%patch8 -p1
|
||||
%patch9 -p1
|
||||
%patch10 -p1
|
||||
|
||||
# Add fixed dhparam file to the source to ensure `make tests` can run.
|
||||
cp %{SOURCE105} raddb/certs/rfc3526-group-18-8192.dhparam
|
||||
|
||||
%build
|
||||
# Force compile/link options, extra security for network facing daemon
|
||||
%global _hardened_build 1
|
||||
|
||||
# Hack: rlm_python3 as stable; prevents building other unstable modules.
|
||||
sed 's/rlm_python.*/rlm_python3/g' src/modules/stable -i
|
||||
|
||||
# python3-config is broken:
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1772988
|
||||
export PY3_LIB_DIR=%{_libdir}/"$(python3-config --configdir | sed 's#/usr/lib/##g')"
|
||||
export PY3_INC_DIR="$(python3 -c 'import sysconfig; print(sysconfig.get_config_var("INCLUDEPY"))')"
|
||||
|
||||
%configure \
|
||||
--libdir=%{_libdir}/freeradius \
|
||||
--enable-reproducible-builds \
|
||||
@ -249,6 +265,12 @@ This plugin provides the REST support for the FreeRADIUS server project.
|
||||
--with-unixodbc-lib-dir=%{_libdir} \
|
||||
--with-rlm-dbm-lib-dir=%{_libdir} \
|
||||
--with-rlm-krb5-include-dir=/usr/kerberos/include \
|
||||
--with-rlm_python3 \
|
||||
--with-rlm-python3-lib-dir=$PY3_LIB_DIR \
|
||||
--with-rlm-python3-include-dir=$PY3_INC_DIR \
|
||||
%if %{without python2}
|
||||
--without-rlm-python2 \
|
||||
%endif
|
||||
--without-rlm_eap_ikev2 \
|
||||
--without-rlm_eap_tnc \
|
||||
--without-rlm_sql_iodbc \
|
||||
@ -256,11 +278,6 @@ This plugin provides the REST support for the FreeRADIUS server project.
|
||||
--without-rlm_sql_db2 \
|
||||
--without-rlm_sql_oracle \
|
||||
--without-rlm_unbound \
|
||||
%if %{without python2}
|
||||
--without-rlm_python \
|
||||
--without-python \
|
||||
--disable-python \
|
||||
%endif
|
||||
--without-rlm_redis \
|
||||
--without-rlm_rediswho \
|
||||
--without-rlm_cache_memcached
|
||||
@ -285,12 +302,16 @@ install -d -m 0710 %{buildroot}%{_localstatedir}/run/radiusd/
|
||||
install -d -m 0700 %{buildroot}%{_localstatedir}/run/radiusd/tmp
|
||||
install -m 0644 %{SOURCE104} %{buildroot}%{_tmpfilesdir}/radiusd.conf
|
||||
|
||||
# Add fixed dhparam file
|
||||
install -m 0644 %{SOURCE105} %{buildroot}/%{_sysconfdir}/raddb/certs/rfc3526-group-18-8192.dhparam
|
||||
|
||||
# install SNMP MIB files
|
||||
mkdir -p $RPM_BUILD_ROOT%{_datadir}/snmp/mibs/
|
||||
install -m 644 mibs/*RADIUS*.mib $RPM_BUILD_ROOT%{_datadir}/snmp/mibs/
|
||||
|
||||
# remove unneeded stuff
|
||||
rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/certs/*.crt
|
||||
rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/certs/*.crl
|
||||
rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/certs/*.csr
|
||||
rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/certs/*.der
|
||||
rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/certs/*.key
|
||||
@ -324,11 +345,6 @@ rm $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/sites-available/abfab*
|
||||
|
||||
rm $RPM_BUILD_ROOT/%{_libdir}/freeradius/rlm_test.so
|
||||
|
||||
# conditionally remove python due to it being python2-only
|
||||
%if %{without python2}
|
||||
rm $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/mods-available/python
|
||||
%endif
|
||||
|
||||
# Remove yubikey on RHEL
|
||||
%if 0%{?rhel}
|
||||
rm $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/mods-available/yubikey
|
||||
@ -338,6 +354,10 @@ rm $RPM_BUILD_ROOT/%{_libdir}/freeradius/rlm_yubikey.so
|
||||
# remove unsupported config files
|
||||
rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/experimental.conf
|
||||
|
||||
# Mongo will never be supported on Fedora or RHEL
|
||||
rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/mods-config/sql/ippool/mongo/queries.conf
|
||||
rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/mods-config/sql/main/mongo/queries.conf
|
||||
|
||||
# install doc files omitted by standard install
|
||||
for f in COPYRIGHT CREDITS INSTALL.rst README.rst VERSION; do
|
||||
cp $f $RPM_BUILD_ROOT/%{docdir}
|
||||
@ -369,12 +389,6 @@ exit 0
|
||||
|
||||
%post
|
||||
%systemd_post radiusd.service
|
||||
if [ $1 -eq 1 ]; then # install
|
||||
# Initial installation
|
||||
if [ ! -e /etc/raddb/certs/server.pem ]; then
|
||||
/sbin/runuser -g radiusd -c 'umask 007; /etc/raddb/certs/bootstrap' > /dev/null 2>&1
|
||||
fi
|
||||
fi
|
||||
exit 0
|
||||
|
||||
%preun
|
||||
@ -440,6 +454,7 @@ exit 0
|
||||
/etc/raddb/certs/README
|
||||
%config(noreplace) /etc/raddb/certs/xpextensions
|
||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/certs/*.cnf
|
||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/certs/rfc3526-group-18-8192.dhparam
|
||||
%attr(750,root,radiusd) /etc/raddb/certs/bootstrap
|
||||
|
||||
# mods-config
|
||||
@ -467,6 +482,7 @@ exit 0
|
||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/robust-proxy-accounting
|
||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/soh
|
||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/coa
|
||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/coa-relay
|
||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/example
|
||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/inner-tunnel
|
||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/dhcp
|
||||
@ -531,6 +547,8 @@ exit 0
|
||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/pap
|
||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/passwd
|
||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/preprocess
|
||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/python
|
||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/python3
|
||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/radutmp
|
||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/realm
|
||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/redis
|
||||
@ -598,6 +616,7 @@ exit 0
|
||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/policy.d/eap
|
||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/policy.d/filter
|
||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/policy.d/operator-name
|
||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/policy.d/rfc7542
|
||||
|
||||
|
||||
# binaries
|
||||
@ -758,6 +777,12 @@ exit 0
|
||||
# endif: with python2
|
||||
%endif
|
||||
|
||||
%files -n python3-freeradius
|
||||
%dir %attr(750,root,radiusd) /etc/raddb/mods-config/python3
|
||||
/etc/raddb/mods-config/python3/example.py*
|
||||
/etc/raddb/mods-config/python3/radiusd.py*
|
||||
%{_libdir}/freeradius/rlm_python3.so
|
||||
|
||||
%files mysql
|
||||
%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/counter/mysql
|
||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/mysql/dailycounter.conf
|
||||
@ -772,6 +797,7 @@ exit 0
|
||||
%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/ippool/mysql
|
||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool/mysql/queries.conf
|
||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool/mysql/schema.sql
|
||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool/mysql/procedure.sql
|
||||
|
||||
%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/ippool-dhcp/mysql
|
||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool-dhcp/mysql/queries.conf
|
||||
@ -808,6 +834,7 @@ exit 0
|
||||
%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/ippool/postgresql
|
||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool/postgresql/queries.conf
|
||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool/postgresql/schema.sql
|
||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool/postgresql/procedure.sql
|
||||
|
||||
%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/main/postgresql
|
||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/postgresql/setup.sql
|
||||
@ -857,6 +884,22 @@ exit 0
|
||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/rest
|
||||
|
||||
%changelog
|
||||
* Thu Aug 06 2020 Alexander Scheel <ascheel@redhat.com> - 3.0.20-3
|
||||
- Require make for proper bootstrap execution, removes post script
|
||||
Resolves: bz#1672285
|
||||
|
||||
* Wed Aug 05 2020 Alexander Scheel <ascheel@redhat.com> - 3.0.20-2
|
||||
- Fix breakage caused by OpenSSL FIPS regression
|
||||
Related: bz#1855822
|
||||
Related: bz#1810911
|
||||
Resolves: bz#1672285
|
||||
|
||||
* Mon Jun 08 2020 Alexander Scheel <ascheel@redhat.com> - 3.0.20-1
|
||||
- Update to FreeRADIUS server version 3.0.20
|
||||
- Introduce Python 3 support; resolves: bz#1623069
|
||||
- DoS issues due to multithreaded BN_CTX access; resolves: bz#1818809
|
||||
- Create tmp files in /run; resolves: bz#1805975
|
||||
|
||||
* Fri Nov 22 2019 Alexander Scheel <ascheel@redhat.com> - 3.0.17-7
|
||||
- Fix information leak due to aborting when needing more than 10 iterations
|
||||
Resolves: bz#1751797
|
||||
|
Loading…
Reference in New Issue
Block a user