import freeradius-3.0.21-34.el9

2022-11-15 01:37:32 -05:00 · 2022-11-15 01:37:32 -05:00 · 359b914554
parent d40d999666
commit 359b914554
4 changed files with 1333 additions and 485 deletions
--- a/SOURCES/freeradius-Backport-OpenSSL3-fixes.patch
+++ b/SOURCES/freeradius-Backport-OpenSSL3-fixes.patch
--- a/SOURCES/freeradius-bootstrap-pass-noenc-to-certificate-generation.patch
+++ b/SOURCES/freeradius-bootstrap-pass-noenc-to-certificate-generation.patch
@ -0,0 +1,136 @@
+From e089777942552c4fe3e58aa328566e7bb745dbf8 Mon Sep 17 00:00:00 2001
+From: Antonio Torres <antorres@redhat.com>
+Date: Fri, 22 Apr 2022 12:27:43 +0200
+Subject: [PATCH] bootstrap: pass -noenc to certificate generation
+
+Bootstrap script would fail to generate certificates if run on systems
+with FIPS enabled. By passing the -noenc option, we can skip the usage
+of unsupported algorithms on these systems.
+
+After generating the certificates, correct permissions are set.
+
+Signed-off-by: Antonio Torres <antorres@redhat.com>
+
+[antorres@redhat.com]: patch adapted to work together with freeradius-bootstrap-create-only.patch.
+In bootstrap diff, -f is changed to -e in conditionals.
+---
+ raddb/certs/Makefile  | 20 ++++++++++++++++----
+ raddb/certs/bootstrap |  6 +++---
+ 2 files changed, 19 insertions(+), 7 deletions(-)
+
+diff --git a/raddb/certs/Makefile b/raddb/certs/Makefile
+index 5cbfd467ce..cb10394ec3 100644
+--- a/raddb/certs/Makefile
+++ b/raddb/certs/Makefile
+@@ -60,6 +60,8 @@ passwords.mk: server.cnf ca.cnf client.cnf inner-server.cnf
+ ######################################################################
+ dh:
+ 	$(OPENSSL) dhparam -out dh -2 $(DH_KEY_SIZE)
+	chown root:radiusd dh
+	chmod 640 dh
+ 
+ ######################################################################
+ #
+@@ -71,8 +73,10 @@ ca.key ca.pem: ca.cnf
+ 	@[ -f serial ] || $(MAKE) serial
+ 	$(OPENSSL) req -new -x509 -keyout ca.key -out ca.pem \
+ 		-days $(CA_DEFAULT_DAYS) -config ./ca.cnf \
+-		-passin pass:$(PASSWORD_CA) -passout pass:$(PASSWORD_CA)
+		-passin pass:$(PASSWORD_CA) -passout pass:$(PASSWORD_CA) -noenc
+ 	chmod g+r ca.key
+	chown root:radiusd ca.*
+	chmod 640 ca.*
+ 
+ ca.der: ca.pem
+ 	$(OPENSSL) x509 -inform PEM -outform DER -in ca.pem -out ca.der
+@@ -81,6 +85,8 @@ ca.crl: ca.pem
+ 	$(OPENSSL) ca -gencrl -keyfile ca.key -cert ca.pem -config ./ca.cnf -out ca-crl.pem -key $(PASSWORD_CA)
+ 	$(OPENSSL) crl -in ca-crl.pem -outform der -out ca.crl
+ 	rm ca-crl.pem
+	chown root:radiusd ca.*
+	chmod 640 ca.*
+ 
+ ######################################################################
+ #
+@@ -88,7 +94,7 @@ ca.crl: ca.pem
+ #
+ ######################################################################
+ server.csr server.key: server.cnf
+-	$(OPENSSL) req -new  -out server.csr -keyout server.key -config ./server.cnf
+	$(OPENSSL) req -new  -out server.csr -keyout server.key -config ./server.cnf -noenc
+ 	chmod g+r server.key
+ 
+ server.crt: server.csr ca.key ca.pem
+@@ -101,6 +107,8 @@ server.p12: server.crt
+ server.pem: server.p12
+ 	$(OPENSSL) pkcs12 -in server.p12 -out server.pem -passin pass:$(PASSWORD_SERVER) -passout pass:$(PASSWORD_SERVER)
+ 	chmod g+r server.pem
+	chown root:radiusd server.*
+	chmod 640 server.*
+ 
+ .PHONY: server.vrfy
+ server.vrfy: ca.pem
+@@ -113,7 +121,7 @@ server.vrfy: ca.pem
+ #
+ ######################################################################
+ client.csr client.key: client.cnf
+-	$(OPENSSL) req -new  -out client.csr -keyout client.key -config ./client.cnf
+	$(OPENSSL) req -new  -out client.csr -keyout client.key -config ./client.cnf -noenc
+ 	chmod g+r client.key
+ 
+ client.crt: client.csr ca.pem ca.key
+@@ -127,6 +135,8 @@ client.pem: client.p12
+ 	$(OPENSSL) pkcs12 -in client.p12 -out client.pem -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)
+ 	chmod g+r client.pem
+ 	cp client.pem $(USER_NAME).pem
+	chown root:radiusd client.*
+	chmod 640 client.*
+ 
+ .PHONY: client.vrfy
+ client.vrfy: ca.pem client.pem
+@@ -139,7 +149,7 @@ client.vrfy: ca.pem client.pem
+ #
+ ######################################################################
+ inner-server.csr inner-server.key: inner-server.cnf
+-	$(OPENSSL) req -new  -out inner-server.csr -keyout inner-server.key -config ./inner-server.cnf
+	$(OPENSSL) req -new  -out inner-server.csr -keyout inner-server.key -config ./inner-server.cnf -noenc
+ 	chmod g+r inner-server.key
+ 
+ inner-server.crt: inner-server.csr ca.key ca.pem
+@@ -152,6 +162,8 @@ inner-server.p12: inner-server.crt
+ inner-server.pem: inner-server.p12
+ 	$(OPENSSL) pkcs12 -in inner-server.p12 -out inner-server.pem -passin pass:$(PASSWORD_INNER) -passout pass:$(PASSWORD_INNER)
+ 	chmod g+r inner-server.pem
+	chown root:radiusd inner-server.*
+	chmod 640 inner-server.*
+ 
+ .PHONY: inner-server.vrfy
+ inner-server.vrfy: ca.pem
+diff --git a/raddb/certs/bootstrap b/raddb/certs/bootstrap
+index 57de8cf0d7..c258ec45e0 100755
+--- a/raddb/certs/bootstrap
+++ b/raddb/certs/bootstrap
+@@ -41,12 +41,12 @@ if [ ! -f dh ]; then
+ fi
+ 
+ if [ ! -e server.key ]; then
+-  openssl req -new  -out server.csr -keyout server.key -config ./server.cnf || exit 1
+  openssl req -new  -out server.csr -keyout server.key -config ./server.cnf -noenc || exit 1
+   chmod g+r server.key
+ fi
+ 
+ if [ ! -e ca.key ]; then
+-  openssl req -new -x509 -keyout ca.key -out ca.pem -days `grep default_days ca.cnf | sed 's/.*=//;s/^ *//'` -config ./ca.cnf || exit 1
+  openssl req -new -x509 -keyout ca.key -out ca.pem -days `grep default_days ca.cnf | sed 's/.*=//;s/^ *//'` -config ./ca.cnf -noenc || exit 1
+ fi
+ 
+ if [ ! -e index.txt ]; then
+@@ -77,7 +77,7 @@ if [ ! -f ca.der ]; then
+ fi
+ 
+ if [ ! -e client.key ]; then
+-  openssl req -new  -out client.csr -keyout client.key -config ./client.cnf
+  openssl req -new  -out client.csr -keyout client.key -config ./client.cnf -noenc
+   chmod g+r client.key
+ fi
+ 
--- a/SOURCES/freeradius.sysusers
+++ b/SOURCES/freeradius.sysusers
@ -0,0 +1,3 @@
+#Type Name     ID  GECOS           Home directory        Shell
+u     radiusd  95  "radiusd user"  /var/lib/radiusd      /sbin/nologin
+g     radiusd  95  -               -                     -
--- a/SPECS/freeradius.spec
+++ b/SPECS/freeradius.spec
@ -1,7 +1,7 @@
 Summary: High-performance and highly configurable free RADIUS server
 Name: freeradius
 Version: 3.0.21
-Release: 26%{?dist}
+Release: 34%{?dist}
 License: GPLv2+ and LGPLv2+
 URL: http://www.freeradius.org/

@ -19,6 +19,7 @@ Source100: radiusd.service
 Source102: freeradius-logrotate
 Source103: freeradius-pam-conf
 Source104: freeradius-tmpfiles.conf
+Source105: freeradius.sysusers

 Patch1: freeradius-Adjust-configuration-to-fit-Red-Hat-specifics.patch
 Patch2: freeradius-Use-system-crypto-policy-by-default.patch
@ -28,6 +29,7 @@ Patch5: freeradius-bootstrap-make-permissions.patch
 Patch6: freeradius-Fix-resource-hard-limit-error.patch
 Patch7: freeradius-ldap-infinite-timeout-on-starttls.patch
 Patch8: freeradius-Backport-OpenSSL3-fixes.patch
+Patch9: freeradius-bootstrap-pass-noenc-to-certificate-generation.patch

 %global docdir %{?_pkgdocdir}%{!?_pkgdocdir:%{_docdir}/%{name}-%{version}}

@ -47,6 +49,7 @@ BuildRequires: systemd-units
 BuildRequires: libtalloc-devel
 BuildRequires: pcre-devel
 BuildRequires: chrpath
+BuildRequires: systemd-rpm-macros

 %if ! 0%{?rhel}
 BuildRequires: libyubikey-devel
@ -56,6 +59,7 @@ BuildRequires: ykclient-devel
 # Require OpenSSL version we built with, or newer, to avoid startup failures
 # due to runtime OpenSSL version checks.
 Requires: openssl >= %(rpm -q --queryformat '%%{VERSION}' openssl)
+Requires: openssl-perl
 Requires(pre): shadow-utils glibc-common
 Requires(post): systemd-sysv
 Requires(post): systemd-units
@ -213,6 +217,7 @@ This plugin provides the REST support for the FreeRADIUS server project.
 %patch6 -p1
 %patch7 -p1
 %patch8 -p1
+%patch9 -p1

 %build
 # Force compile/link options, extra security for network facing daemon
@ -225,6 +230,9 @@ sed 's/rlm_python/rlm_python3/g' src/modules/stable -i
 export PY3_LIB_DIR="$(python3-config --configdir)"
 export PY3_INC_DIR="$(python3 -c 'import sysconfig; print(sysconfig.get_config_var("INCLUDEPY"))')"

+# Enable FIPS support
+%global build_cflags %{build_cflags} -DWITH_FIPS
+
 # In order for the above hack to stick, do a fake configure so
 # we can run reconfig before cleaning up after ourselves and running
 # configure for real.
@ -279,6 +287,7 @@ mkdir -p %{buildroot}%{_localstatedir}/run/
 install -d -m 0710 %{buildroot}%{_localstatedir}/run/radiusd/
 install -d -m 0700 %{buildroot}%{_localstatedir}/run/radiusd/tmp
 install -m 0644 %{SOURCE104} %{buildroot}%{_tmpfilesdir}/radiusd.conf
+install -p -D -m 0644 %{SOURCE105} %{buildroot}%{_sysusersdir}/freeradius.conf

 # install SNMP MIB files
 mkdir -p $RPM_BUILD_ROOT%{_datadir}/snmp/mibs/
@ -362,20 +371,13 @@ EOF

 # Make sure our user/group is present prior to any package or subpackage installation
 %pre
-getent group  radiusd >/dev/null || /usr/sbin/groupadd -r -g 95 radiusd > /dev/null 2>&1
-getent passwd radiusd >/dev/null || /usr/sbin/useradd  -r -g radiusd -u 95 -c "radiusd user" -d %{_localstatedir}/lib/radiusd -s /sbin/nologin radiusd > /dev/null 2>&1
-exit 0
+%sysusers_create_compat %{SOURCE105}

 %preun
 %systemd_preun radiusd.service

 %postun
 %systemd_postun_with_restart radiusd.service
-if [ $1 -eq 0 ]; then           # uninstall
-  getent passwd radiusd >/dev/null && /usr/sbin/userdel  radiusd > /dev/null 2>&1
-  getent group  radiusd >/dev/null && /usr/sbin/groupdel radiusd > /dev/null 2>&1
-fi
-exit 0

 /bin/systemctl try-restart radiusd.service >/dev/null 2>&1 || :

@ -394,6 +396,7 @@ exit 0
 %config(noreplace) %{_sysconfdir}/ld.so.conf.d/%{name}-%{_arch}.conf
 %{_unitdir}/radiusd.service
 %{_tmpfilesdir}/radiusd.conf
+%{_sysusersdir}/freeradius.conf
 %dir %attr(710,radiusd,radiusd) %{_localstatedir}/run/radiusd
 %dir %attr(700,radiusd,radiusd) %{_localstatedir}/run/radiusd/tmp
 %dir %attr(755,radiusd,radiusd) %{_localstatedir}/lib/radiusd
@ -855,6 +858,39 @@ exit 0
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/rest

 %changelog
+* Wed Jun 29 2022 Antonio Torres <antorres@redhat.com> - 3.0.21-34
+- Use GID / UID 95 as it's reserved for FreeRADIUS (https://pagure.io/setup/blob/07f8debf03dfb0e5ed36051c13c86c8cd00cd241/f/uidgid#_107)
+  Resolves: #2095403
+
+* Fri Jun 24 2022 Antonio Torres <antorres@redhat.com> - 3.0.21-33
+- Dynamically allocate users using sysusers.d format
+  Resolves: #2095403
+
+* Mon May 30 2022 Antonio Torres <antorres@redhat.com> - 3.0.21-32
+- Add WITH_FIPS macro to CFLAGS
+  Related: rhbz#2083699
+
+* Tue May 24 2022 Antonio Torres <antorres@redhat.com> - 3.0.21-31
+- Update OpenSSL 3.0 support backport to current v3.0.x branch state
+- Add "--enable-fips-workaround" to build options
+  Related: rhbz#2083699
+
+* Tue May 10 2022 Antonio Torres <antorres@redhat.com> - 3.0.21-30
+- Add openssl-perl dependency
+  Related: rhbz#2078816
+
+* Thu Apr 28 2022 Antonio Torres <antorres@redhat.com> - 3.0.21-29
+- Set correct permissions for certificates generated by bootstrap Makefile
+  Related: rhbz#2069224
+
+* Mon Apr 25 2022 Antonio Torres <antorres@redhat.com> - 3.0.21-28
+- bootstrap: pass -noenc to certificate generation, do it on script as well
+  Related: rhbz#2069224
+
+* Fri Apr 22 2022 Antonio Torres <antorres@redhat.com> - 3.0.21-27
+- bootstrap: pass -noenc to certificate generation
+  Related: rhbz#2069224
+
 * Mon Jan 31 2022 Antonio Torres <antorres@redhat.com> - 3.0.21-26
 - Move remaining files from /var/run to /run
  Related: rhbz#2047972