import freeradius-3.0.21-34.el9
This commit is contained in:
parent
d40d999666
commit
359b914554
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,136 @@
|
||||
From e089777942552c4fe3e58aa328566e7bb745dbf8 Mon Sep 17 00:00:00 2001
|
||||
From: Antonio Torres <antorres@redhat.com>
|
||||
Date: Fri, 22 Apr 2022 12:27:43 +0200
|
||||
Subject: [PATCH] bootstrap: pass -noenc to certificate generation
|
||||
|
||||
Bootstrap script would fail to generate certificates if run on systems
|
||||
with FIPS enabled. By passing the -noenc option, we can skip the usage
|
||||
of unsupported algorithms on these systems.
|
||||
|
||||
After generating the certificates, correct permissions are set.
|
||||
|
||||
Signed-off-by: Antonio Torres <antorres@redhat.com>
|
||||
|
||||
[antorres@redhat.com]: patch adapted to work together with freeradius-bootstrap-create-only.patch.
|
||||
In bootstrap diff, -f is changed to -e in conditionals.
|
||||
---
|
||||
raddb/certs/Makefile | 20 ++++++++++++++++----
|
||||
raddb/certs/bootstrap | 6 +++---
|
||||
2 files changed, 19 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/raddb/certs/Makefile b/raddb/certs/Makefile
|
||||
index 5cbfd467ce..cb10394ec3 100644
|
||||
--- a/raddb/certs/Makefile
|
||||
+++ b/raddb/certs/Makefile
|
||||
@@ -60,6 +60,8 @@ passwords.mk: server.cnf ca.cnf client.cnf inner-server.cnf
|
||||
######################################################################
|
||||
dh:
|
||||
$(OPENSSL) dhparam -out dh -2 $(DH_KEY_SIZE)
|
||||
+ chown root:radiusd dh
|
||||
+ chmod 640 dh
|
||||
|
||||
######################################################################
|
||||
#
|
||||
@@ -71,8 +73,10 @@ ca.key ca.pem: ca.cnf
|
||||
@[ -f serial ] || $(MAKE) serial
|
||||
$(OPENSSL) req -new -x509 -keyout ca.key -out ca.pem \
|
||||
-days $(CA_DEFAULT_DAYS) -config ./ca.cnf \
|
||||
- -passin pass:$(PASSWORD_CA) -passout pass:$(PASSWORD_CA)
|
||||
+ -passin pass:$(PASSWORD_CA) -passout pass:$(PASSWORD_CA) -noenc
|
||||
chmod g+r ca.key
|
||||
+ chown root:radiusd ca.*
|
||||
+ chmod 640 ca.*
|
||||
|
||||
ca.der: ca.pem
|
||||
$(OPENSSL) x509 -inform PEM -outform DER -in ca.pem -out ca.der
|
||||
@@ -81,6 +85,8 @@ ca.crl: ca.pem
|
||||
$(OPENSSL) ca -gencrl -keyfile ca.key -cert ca.pem -config ./ca.cnf -out ca-crl.pem -key $(PASSWORD_CA)
|
||||
$(OPENSSL) crl -in ca-crl.pem -outform der -out ca.crl
|
||||
rm ca-crl.pem
|
||||
+ chown root:radiusd ca.*
|
||||
+ chmod 640 ca.*
|
||||
|
||||
######################################################################
|
||||
#
|
||||
@@ -88,7 +94,7 @@ ca.crl: ca.pem
|
||||
#
|
||||
######################################################################
|
||||
server.csr server.key: server.cnf
|
||||
- $(OPENSSL) req -new -out server.csr -keyout server.key -config ./server.cnf
|
||||
+ $(OPENSSL) req -new -out server.csr -keyout server.key -config ./server.cnf -noenc
|
||||
chmod g+r server.key
|
||||
|
||||
server.crt: server.csr ca.key ca.pem
|
||||
@@ -101,6 +107,8 @@ server.p12: server.crt
|
||||
server.pem: server.p12
|
||||
$(OPENSSL) pkcs12 -in server.p12 -out server.pem -passin pass:$(PASSWORD_SERVER) -passout pass:$(PASSWORD_SERVER)
|
||||
chmod g+r server.pem
|
||||
+ chown root:radiusd server.*
|
||||
+ chmod 640 server.*
|
||||
|
||||
.PHONY: server.vrfy
|
||||
server.vrfy: ca.pem
|
||||
@@ -113,7 +121,7 @@ server.vrfy: ca.pem
|
||||
#
|
||||
######################################################################
|
||||
client.csr client.key: client.cnf
|
||||
- $(OPENSSL) req -new -out client.csr -keyout client.key -config ./client.cnf
|
||||
+ $(OPENSSL) req -new -out client.csr -keyout client.key -config ./client.cnf -noenc
|
||||
chmod g+r client.key
|
||||
|
||||
client.crt: client.csr ca.pem ca.key
|
||||
@@ -127,6 +135,8 @@ client.pem: client.p12
|
||||
$(OPENSSL) pkcs12 -in client.p12 -out client.pem -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)
|
||||
chmod g+r client.pem
|
||||
cp client.pem $(USER_NAME).pem
|
||||
+ chown root:radiusd client.*
|
||||
+ chmod 640 client.*
|
||||
|
||||
.PHONY: client.vrfy
|
||||
client.vrfy: ca.pem client.pem
|
||||
@@ -139,7 +149,7 @@ client.vrfy: ca.pem client.pem
|
||||
#
|
||||
######################################################################
|
||||
inner-server.csr inner-server.key: inner-server.cnf
|
||||
- $(OPENSSL) req -new -out inner-server.csr -keyout inner-server.key -config ./inner-server.cnf
|
||||
+ $(OPENSSL) req -new -out inner-server.csr -keyout inner-server.key -config ./inner-server.cnf -noenc
|
||||
chmod g+r inner-server.key
|
||||
|
||||
inner-server.crt: inner-server.csr ca.key ca.pem
|
||||
@@ -152,6 +162,8 @@ inner-server.p12: inner-server.crt
|
||||
inner-server.pem: inner-server.p12
|
||||
$(OPENSSL) pkcs12 -in inner-server.p12 -out inner-server.pem -passin pass:$(PASSWORD_INNER) -passout pass:$(PASSWORD_INNER)
|
||||
chmod g+r inner-server.pem
|
||||
+ chown root:radiusd inner-server.*
|
||||
+ chmod 640 inner-server.*
|
||||
|
||||
.PHONY: inner-server.vrfy
|
||||
inner-server.vrfy: ca.pem
|
||||
diff --git a/raddb/certs/bootstrap b/raddb/certs/bootstrap
|
||||
index 57de8cf0d7..c258ec45e0 100755
|
||||
--- a/raddb/certs/bootstrap
|
||||
+++ b/raddb/certs/bootstrap
|
||||
@@ -41,12 +41,12 @@ if [ ! -f dh ]; then
|
||||
fi
|
||||
|
||||
if [ ! -e server.key ]; then
|
||||
- openssl req -new -out server.csr -keyout server.key -config ./server.cnf || exit 1
|
||||
+ openssl req -new -out server.csr -keyout server.key -config ./server.cnf -noenc || exit 1
|
||||
chmod g+r server.key
|
||||
fi
|
||||
|
||||
if [ ! -e ca.key ]; then
|
||||
- openssl req -new -x509 -keyout ca.key -out ca.pem -days `grep default_days ca.cnf | sed 's/.*=//;s/^ *//'` -config ./ca.cnf || exit 1
|
||||
+ openssl req -new -x509 -keyout ca.key -out ca.pem -days `grep default_days ca.cnf | sed 's/.*=//;s/^ *//'` -config ./ca.cnf -noenc || exit 1
|
||||
fi
|
||||
|
||||
if [ ! -e index.txt ]; then
|
||||
@@ -77,7 +77,7 @@ if [ ! -f ca.der ]; then
|
||||
fi
|
||||
|
||||
if [ ! -e client.key ]; then
|
||||
- openssl req -new -out client.csr -keyout client.key -config ./client.cnf
|
||||
+ openssl req -new -out client.csr -keyout client.key -config ./client.cnf -noenc
|
||||
chmod g+r client.key
|
||||
fi
|
||||
|
3
SOURCES/freeradius.sysusers
Normal file
3
SOURCES/freeradius.sysusers
Normal file
@ -0,0 +1,3 @@
|
||||
#Type Name ID GECOS Home directory Shell
|
||||
u radiusd 95 "radiusd user" /var/lib/radiusd /sbin/nologin
|
||||
g radiusd 95 - - -
|
@ -1,7 +1,7 @@
|
||||
Summary: High-performance and highly configurable free RADIUS server
|
||||
Name: freeradius
|
||||
Version: 3.0.21
|
||||
Release: 26%{?dist}
|
||||
Release: 34%{?dist}
|
||||
License: GPLv2+ and LGPLv2+
|
||||
URL: http://www.freeradius.org/
|
||||
|
||||
@ -19,6 +19,7 @@ Source100: radiusd.service
|
||||
Source102: freeradius-logrotate
|
||||
Source103: freeradius-pam-conf
|
||||
Source104: freeradius-tmpfiles.conf
|
||||
Source105: freeradius.sysusers
|
||||
|
||||
Patch1: freeradius-Adjust-configuration-to-fit-Red-Hat-specifics.patch
|
||||
Patch2: freeradius-Use-system-crypto-policy-by-default.patch
|
||||
@ -28,6 +29,7 @@ Patch5: freeradius-bootstrap-make-permissions.patch
|
||||
Patch6: freeradius-Fix-resource-hard-limit-error.patch
|
||||
Patch7: freeradius-ldap-infinite-timeout-on-starttls.patch
|
||||
Patch8: freeradius-Backport-OpenSSL3-fixes.patch
|
||||
Patch9: freeradius-bootstrap-pass-noenc-to-certificate-generation.patch
|
||||
|
||||
%global docdir %{?_pkgdocdir}%{!?_pkgdocdir:%{_docdir}/%{name}-%{version}}
|
||||
|
||||
@ -47,6 +49,7 @@ BuildRequires: systemd-units
|
||||
BuildRequires: libtalloc-devel
|
||||
BuildRequires: pcre-devel
|
||||
BuildRequires: chrpath
|
||||
BuildRequires: systemd-rpm-macros
|
||||
|
||||
%if ! 0%{?rhel}
|
||||
BuildRequires: libyubikey-devel
|
||||
@ -56,6 +59,7 @@ BuildRequires: ykclient-devel
|
||||
# Require OpenSSL version we built with, or newer, to avoid startup failures
|
||||
# due to runtime OpenSSL version checks.
|
||||
Requires: openssl >= %(rpm -q --queryformat '%%{VERSION}' openssl)
|
||||
Requires: openssl-perl
|
||||
Requires(pre): shadow-utils glibc-common
|
||||
Requires(post): systemd-sysv
|
||||
Requires(post): systemd-units
|
||||
@ -213,6 +217,7 @@ This plugin provides the REST support for the FreeRADIUS server project.
|
||||
%patch6 -p1
|
||||
%patch7 -p1
|
||||
%patch8 -p1
|
||||
%patch9 -p1
|
||||
|
||||
%build
|
||||
# Force compile/link options, extra security for network facing daemon
|
||||
@ -225,6 +230,9 @@ sed 's/rlm_python/rlm_python3/g' src/modules/stable -i
|
||||
export PY3_LIB_DIR="$(python3-config --configdir)"
|
||||
export PY3_INC_DIR="$(python3 -c 'import sysconfig; print(sysconfig.get_config_var("INCLUDEPY"))')"
|
||||
|
||||
# Enable FIPS support
|
||||
%global build_cflags %{build_cflags} -DWITH_FIPS
|
||||
|
||||
# In order for the above hack to stick, do a fake configure so
|
||||
# we can run reconfig before cleaning up after ourselves and running
|
||||
# configure for real.
|
||||
@ -279,6 +287,7 @@ mkdir -p %{buildroot}%{_localstatedir}/run/
|
||||
install -d -m 0710 %{buildroot}%{_localstatedir}/run/radiusd/
|
||||
install -d -m 0700 %{buildroot}%{_localstatedir}/run/radiusd/tmp
|
||||
install -m 0644 %{SOURCE104} %{buildroot}%{_tmpfilesdir}/radiusd.conf
|
||||
install -p -D -m 0644 %{SOURCE105} %{buildroot}%{_sysusersdir}/freeradius.conf
|
||||
|
||||
# install SNMP MIB files
|
||||
mkdir -p $RPM_BUILD_ROOT%{_datadir}/snmp/mibs/
|
||||
@ -362,20 +371,13 @@ EOF
|
||||
|
||||
# Make sure our user/group is present prior to any package or subpackage installation
|
||||
%pre
|
||||
getent group radiusd >/dev/null || /usr/sbin/groupadd -r -g 95 radiusd > /dev/null 2>&1
|
||||
getent passwd radiusd >/dev/null || /usr/sbin/useradd -r -g radiusd -u 95 -c "radiusd user" -d %{_localstatedir}/lib/radiusd -s /sbin/nologin radiusd > /dev/null 2>&1
|
||||
exit 0
|
||||
%sysusers_create_compat %{SOURCE105}
|
||||
|
||||
%preun
|
||||
%systemd_preun radiusd.service
|
||||
|
||||
%postun
|
||||
%systemd_postun_with_restart radiusd.service
|
||||
if [ $1 -eq 0 ]; then # uninstall
|
||||
getent passwd radiusd >/dev/null && /usr/sbin/userdel radiusd > /dev/null 2>&1
|
||||
getent group radiusd >/dev/null && /usr/sbin/groupdel radiusd > /dev/null 2>&1
|
||||
fi
|
||||
exit 0
|
||||
|
||||
/bin/systemctl try-restart radiusd.service >/dev/null 2>&1 || :
|
||||
|
||||
@ -394,6 +396,7 @@ exit 0
|
||||
%config(noreplace) %{_sysconfdir}/ld.so.conf.d/%{name}-%{_arch}.conf
|
||||
%{_unitdir}/radiusd.service
|
||||
%{_tmpfilesdir}/radiusd.conf
|
||||
%{_sysusersdir}/freeradius.conf
|
||||
%dir %attr(710,radiusd,radiusd) %{_localstatedir}/run/radiusd
|
||||
%dir %attr(700,radiusd,radiusd) %{_localstatedir}/run/radiusd/tmp
|
||||
%dir %attr(755,radiusd,radiusd) %{_localstatedir}/lib/radiusd
|
||||
@ -855,6 +858,39 @@ exit 0
|
||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/rest
|
||||
|
||||
%changelog
|
||||
* Wed Jun 29 2022 Antonio Torres <antorres@redhat.com> - 3.0.21-34
|
||||
- Use GID / UID 95 as it's reserved for FreeRADIUS (https://pagure.io/setup/blob/07f8debf03dfb0e5ed36051c13c86c8cd00cd241/f/uidgid#_107)
|
||||
Resolves: #2095403
|
||||
|
||||
* Fri Jun 24 2022 Antonio Torres <antorres@redhat.com> - 3.0.21-33
|
||||
- Dynamically allocate users using sysusers.d format
|
||||
Resolves: #2095403
|
||||
|
||||
* Mon May 30 2022 Antonio Torres <antorres@redhat.com> - 3.0.21-32
|
||||
- Add WITH_FIPS macro to CFLAGS
|
||||
Related: rhbz#2083699
|
||||
|
||||
* Tue May 24 2022 Antonio Torres <antorres@redhat.com> - 3.0.21-31
|
||||
- Update OpenSSL 3.0 support backport to current v3.0.x branch state
|
||||
- Add "--enable-fips-workaround" to build options
|
||||
Related: rhbz#2083699
|
||||
|
||||
* Tue May 10 2022 Antonio Torres <antorres@redhat.com> - 3.0.21-30
|
||||
- Add openssl-perl dependency
|
||||
Related: rhbz#2078816
|
||||
|
||||
* Thu Apr 28 2022 Antonio Torres <antorres@redhat.com> - 3.0.21-29
|
||||
- Set correct permissions for certificates generated by bootstrap Makefile
|
||||
Related: rhbz#2069224
|
||||
|
||||
* Mon Apr 25 2022 Antonio Torres <antorres@redhat.com> - 3.0.21-28
|
||||
- bootstrap: pass -noenc to certificate generation, do it on script as well
|
||||
Related: rhbz#2069224
|
||||
|
||||
* Fri Apr 22 2022 Antonio Torres <antorres@redhat.com> - 3.0.21-27
|
||||
- bootstrap: pass -noenc to certificate generation
|
||||
Related: rhbz#2069224
|
||||
|
||||
* Mon Jan 31 2022 Antonio Torres <antorres@redhat.com> - 3.0.21-26
|
||||
- Move remaining files from /var/run to /run
|
||||
Related: rhbz#2047972
|
||||
|
Loading…
Reference in New Issue
Block a user