import freeradius-3.0.20-3.module+el8.3.0+7597+67902674

2020-08-27 18:51:24 +00:00 · 2020-08-27 18:51:24 +00:00 · 45cb3bdac6
parent eeb70b2805
commit 45cb3bdac6
7 changed files with 202 additions and 45 deletions
--- a/SOURCES/freeradius-bootstrap-create-only.patch
+++ b/SOURCES/freeradius-bootstrap-create-only.patch
@ -1,36 +1,20 @@
-From d38836ca4158b42c27f4d7f474e64f4f10aed16d Mon Sep 17 00:00:00 2001
+From 3f40655ad0708b74a4a41b13c2b21995b157c14d Mon Sep 17 00:00:00 2001
 From: Alexander Scheel <ascheel@redhat.com>
-Date: Wed, 8 May 2019 10:29:08 -0400
+Date: Wed, 5 Aug 2020 15:53:45 -0400
 Subject: [PATCH] Don't clobber existing files on bootstrap

+Rebased: v3.0.20
+
 Signed-off-by: Alexander Scheel <ascheel@redhat.com>
 ---
- raddb/certs/bootstrap | 39 ++++++++++++---------------------------
- 1 file changed, 12 insertions(+), 27 deletions(-)
+ raddb/certs/bootstrap | 35 +++++++++++++++++++----------------
+ 1 file changed, 19 insertions(+), 16 deletions(-)

 diff --git a/raddb/certs/bootstrap b/raddb/certs/bootstrap
-index 0f719aafd4..be81a2d697 100755
+index 0f719aa..336a2bd 100755
 --- a/raddb/certs/bootstrap
 +++ b/raddb/certs/bootstrap
-@@ -13,17 +13,6 @@
- umask 027
- cd `dirname $0`
-
-make -h > /dev/null 2>&1
-
-#
-#  If we have a working "make", then use it.  Otherwise, run the commands
-#  manually.
-#
-if [ "$?" = "0" ]; then
-  make all
-  exit $?
-fi
-
- #
- #  The following commands were created by running "make -n", and edited
- #  to remove the trailing backslash, and to add "exit 1" after the commands.
-@@ -31,52 +20,51 @@ fi
+@@ -31,52 +31,55 @@ fi
 #  Don't edit the following text.  Instead, edit the Makefile, and
 #  re-generate these commands.
 #
@ -44,60 +28,64 @@ index 0f719aafd4..be81a2d697 100755
 -  fi
 +  ln -sf /dev/urandom random
 fi
-
+ 
 -if [ ! -f server.key ]; then
 +if [ ! -e server.key ]; then
   openssl req -new  -out server.csr -keyout server.key -config ./server.cnf || exit 1
+  chmod g+r server.key
 fi
-
+ 
 -if [ ! -f ca.key ]; then
 +if [ ! -e ca.key ]; then
   openssl req -new -x509 -keyout ca.key -out ca.pem -days `grep default_days ca.cnf | sed 's/.*=//;s/^ *//'` -config ./ca.cnf || exit 1
 fi
-
+ 
 -if [ ! -f index.txt ]; then
 +if [ ! -e index.txt ]; then
   touch index.txt
 fi
-
+ 
 -if [ ! -f serial ]; then
 +if [ ! -e serial ]; then
   echo '01' > serial
 fi
-
+ 
 -if [ ! -f server.crt ]; then
 +if [ ! -e server.crt ]; then
   openssl ca -batch -keyfile ca.key -cert ca.pem -in server.csr  -key `grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out server.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf || exit 1
 fi
-
+ 
 -if [ ! -f server.p12 ]; then
 +if [ ! -e server.p12 ]; then
   openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12  -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` || exit 1
+  chmod g+r server.p12
 fi
-
+ 
 -if [ ! -f server.pem ]; then
 +if [ ! -e server.pem ]; then
   openssl pkcs12 -in server.p12 -out server.pem -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` || exit 1
   openssl verify -CAfile ca.pem server.pem || exit 1
+  chmod g+r server.pem
 fi
-
+ 
 -if [ ! -f ca.der ]; then
 +if [ ! -e ca.der ]; then
   openssl x509 -inform PEM -outform DER -in ca.pem -out ca.der || exit 1
 fi
-
+ 
 -if [ ! -f client.key ]; then
 +if [ ! -e client.key ]; then
   openssl req -new  -out client.csr -keyout client.key -config ./client.cnf
+  chmod g+r client.key
 fi
-
+ 
 -if [ ! -f client.crt ]; then
 +if [ ! -e client.crt ]; then
   openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr  -key `grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf
 fi
 +
 +chown root:radiusd dh ca.* client.* server.*
-+chmod 644 dh ca.* client.* server.*
--
-2.21.0
+chmod 640 dh ca.* client.* server.*
+-- 
+2.26.2

--- a/SOURCES/freeradius-bootstrap-fixed-dhparam.patch
+++ b/SOURCES/freeradius-bootstrap-fixed-dhparam.patch
@ -0,0 +1,52 @@
+From b31f1ab9a0e1c010037d2d660e3ce4ea7eb07d6c Mon Sep 17 00:00:00 2001
+From: Alexander Scheel <ascheel@redhat.com>
+Date: Wed, 5 Aug 2020 16:10:52 -0400
+Subject: [PATCH] Use fixed FIPS-approved dhparam by default
+
+Signed-off-by: Alexander Scheel <ascheel@redhat.com>
+---
+ raddb/certs/Makefile  | 2 +-
+ raddb/certs/bootstrap | 7 +++++--
+ 2 files changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/raddb/certs/Makefile b/raddb/certs/Makefile
+index 5cbfd46..41b7aea 100644
+--- a/raddb/certs/Makefile
+++ b/raddb/certs/Makefile
+@@ -59,7 +59,7 @@ passwords.mk: server.cnf ca.cnf client.cnf inner-server.cnf
+ #
+ ######################################################################
+ dh:
+-	$(OPENSSL) dhparam -out dh -2 $(DH_KEY_SIZE)
+	cp rfc3526-group-18-8192.dhparam dh
+ 
+ ######################################################################
+ #
+diff --git a/raddb/certs/bootstrap b/raddb/certs/bootstrap
+index 9920ecf..59b3310 100755
+--- a/raddb/certs/bootstrap
+++ b/raddb/certs/bootstrap
+@@ -13,6 +13,10 @@
+ umask 027
+ cd `dirname $0`
+ 
+if [ ! -e random ]; then
+  ln -sf /dev/urandom random
+fi
+
+ make -h > /dev/null 2>&1
+ 
+ #
+@@ -35,8 +39,7 @@ fi
+ #  re-generate these commands.
+ #
+ if [ ! -e dh ]; then
+-  openssl dhparam -out dh 2048 || exit 1
+-  ln -sf /dev/urandom random
+  cp rfc3526-group-18-8192.dhparam dh
+ fi
+ 
+ if [ ! -e server.key ]; then
+-- 
+2.26.2
+
--- a/SOURCES/freeradius-bootstrap-make-permissions.patch
+++ b/SOURCES/freeradius-bootstrap-make-permissions.patch
@ -0,0 +1,29 @@
+From ea164ceafa05f96079204a3f0ae379e46e64a455 Mon Sep 17 00:00:00 2001
+From: Alexander Scheel <ascheel@redhat.com>
+Date: Tue, 4 Aug 2020 10:08:15 -0400
+Subject: [PATCH] Fix permissions after generating certificates with make
+
+Signed-off-by: Alexander Scheel <ascheel@redhat.com>
+---
+ raddb/certs/bootstrap | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/raddb/certs/bootstrap b/raddb/certs/bootstrap
+index 336a2bd..9920ecf 100755
+--- a/raddb/certs/bootstrap
+++ b/raddb/certs/bootstrap
+@@ -21,7 +21,10 @@ make -h > /dev/null 2>&1
+ #
+ if [ "$?" = "0" ]; then
+   make all
+-  exit $?
+  ret=$?
+  chown root:radiusd dh ca.* client.* server.*
+  chmod 640 dh ca.* client.* server.*
+  exit $ret
+ fi
+ 
+ #
+-- 
+2.26.2
+
--- a/SOURCES/freeradius-no-dh-param-load-FIPS.patch
+++ b/SOURCES/freeradius-no-dh-param-load-FIPS.patch
@ -0,0 +1,45 @@
+From 42693cba452efa00a4848beb1514229149520cc1 Mon Sep 17 00:00:00 2001
+From: Alexander Scheel <ascheel@redhat.com>
+Date: Wed, 5 Aug 2020 11:39:45 -0400
+Subject: [PATCH] Ignore user-provided dhparams in FIPS mode (#3554)
+
+OpenSSL in RHEL 8.3 introduces a breaking change in FIPS mode:
+user-provided dhparams will be ignored (and dhparam generation
+may fail as well), unless they are on the FIPS approved list of
+parameters. However, OpenSSL since v1.1.1 will automatically select
+an appropriate DH parameter set anyways, if the user did not provide
+any. These will be FIPS approved.
+
+Signed-off-by: Alexander Scheel <ascheel@redhat.com>
+---
+ src/main/tls.c | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+diff --git a/src/main/tls.c b/src/main/tls.c
+index 5809a1bd7d..5e6493333c 100644
+--- a/src/main/tls.c
+++ b/src/main/tls.c
+@@ -1352,6 +1352,23 @@ static int load_dh_params(SSL_CTX *ctx, char *file)
+
+ 	if (!file) return 0;
+
+	/*
+	 * Prior to trying to load the file, check what OpenSSL will do with it.
+	 *
+	 * Certain downstreams (such as RHEL) will ignore user-provided dhparams
+	 * in FIPS mode, unless the specified parameters are FIPS-approved.
+	 * However, since OpenSSL >= 1.1.1 will automatically select parameters
+	 * anyways, there's no point in attempting to load them.
+	 *
+	 * Change suggested by @t8m
+	 */
+#if OPENSSL_VERSION_NUMBER >= 0x10101000L
+	if (FIPS_mode() > 0) {
+		WARN(LOG_PREFIX ": Ignoring user-selected DH parameters in FIPS mode. Using defaults.");
+		return 0;
+	}
+#endif
+
+ 	if ((bio = BIO_new_file(file, "r")) == NULL) {
+ 		ERROR(LOG_PREFIX ": Unable to open DH file - %s", file);
+ 		return -1;
--- a/SOURCES/radiusd.service
+++ b/SOURCES/radiusd.service
@ -6,6 +6,7 @@ After=syslog.target network-online.target ipa.service dirsrv.target krb5kdc.serv
 Type=forking
 PIDFile=/var/run/radiusd/radiusd.pid
 ExecStartPre=-/bin/chown -R radiusd.radiusd /var/run/radiusd
+ExecStartPre=/bin/sh /etc/raddb/certs/bootstrap
 ExecStartPre=/usr/sbin/radiusd -C
 ExecStart=/usr/sbin/radiusd -d /etc/raddb
 ExecReload=/usr/sbin/radiusd -C
--- a/SOURCES/rfc3526-group-18-8192.pem
+++ b/SOURCES/rfc3526-group-18-8192.pem
@ -0,0 +1,24 @@
+-----BEGIN DH PARAMETERS-----
+MIIECAKCBAEA///////////JD9qiIWjCNMTGYouA3BzRKQJOCIpnzHQCC76mOxOb
+IlFKCHmONATd75UZs806QxswKwpt8l8UN0/hNW1tUcJF5IW1dmJefsb0TELppjft
+awv/XLb0Brft7jhr+1qJn6WunyQRfEsf5kkoZlHs5Fs9wgB8uKFjvwWY2kg2HFXT
+mmkWP6j9JM9fg2VdI9yjrZYcYvNWIIVSu57VKQdwlpZtZww1Tkq8mATxdGwIyhgh
+fDKQXkYuNs474553LBgOhgObJ4Oi7Aeij7XFXfBvTFLJ3ivL9pVYFxg5lUl86pVq
+5RXSJhiY+gUQFXKOWoqqxC2tMxcNBFB6M6hVIavfHLpk7PuFBFjb7wqK6nFXXQYM
+fbOXD4Wm4eTHq/WujNsJM9cejJTgSiVhnc7j0iYa0u5r8S/6BtmKCGTYdgJzPshq
+ZFIfKxgXeyAMu+EXV3phXWx3CYjAutlG4gjiT6B05asxQ9tb/OD9EI5LgtEgqSEI
+ARpyPBKnh+bXiHGaEL26WyaZwycYavTiPBqUaDS2FQvaJYPpyirUTOjbu8LbBN6O
+S6O/BQfvsqmKHxZR05rwF2ZspZPoJDDoiM7oYZRW+ftH2EpcM7i16+4G912IXBI
+HNAGkSfVsFqpk7TqmI2P3cGG/7fckKbAj030Nck0AoSSNsP6tNJ8cCbB1NyyYCZG
+3sl1HnY9uje9+P+UBq2eUw7l2zgvQTABrrBqU+2QJ9gxF5cnsIZaiRjaPtvrz5sU
+7UTObLrO1Lsb238UR+bMJUszIFFRK9evQm+49AE3jNK/WYPKAcZLkuzwMuoV0XId
+A/SC185udP721V5wL0aYDIK1qEAxkAscnlnnyX++x+jzI6l6fjbMiL4PHUW3/1ha
+xUvUB7IrQVSqzI9tfr9I4dgUzF7SD4A34KeXFe7ym+MoBqHVi7fF2nb1UKo9ih+/
+8OsZzLGjE9Vc2lbJ7C7yljI4f+jXbjwEaAQ+j2Y/SGDuEr8tWwt0dNbmlPkebb4R
+WXSjkm8S/uXkOHd8tqky34zYvsTQc7kxujvIMraNndMAdB+nv4r8R+0ldvaTa6Qk
+ZjqrY5xa5PVoNCO0dCvxyXgjjxbL451lLeP9uL78hIrZIiIuBKQDfAcT61eoGiPw
+xzRz/GRs6jBrS8vIhi+Dhd36nUt/osCH6HloMwPtW906Bis89bOieKZtKhP4P0T4
+Ld8xDuB0q2o2RZfomaAlXcFk8xzFCEaFHfmrSBld7X6hsdUQvX7nTXP682vDHs+i
+aDWQRvTrh5+SQAlDi0gcbNeImgAu1e44K8kZDab8Am5HlVjkR1Z36aqeMFDidlaU
+38gfVuiAuW5xYMmA3Zjt09///////////wIBAg==
+-----END DH PARAMETERS-----
--- a/SPECS/freeradius.spec
+++ b/SPECS/freeradius.spec
@ -9,7 +9,7 @@
 Summary: High-performance and highly configurable free RADIUS server
 Name: freeradius
 Version: 3.0.20
-Release: 1%{?dist}
+Release: 3%{?dist}
 License: GPLv2+ and LGPLv2+
 Group: System Environment/Daemons
 URL: http://www.freeradius.org/
@ -28,12 +28,16 @@ Source100: radiusd.service
 Source102: freeradius-logrotate
 Source103: freeradius-pam-conf
 Source104: freeradius-tmpfiles.conf
+Source105: rfc3526-group-18-8192.pem

 Patch1: freeradius-Adjust-configuration-to-fit-Red-Hat-specifics.patch
 Patch2: freeradius-Use-system-crypto-policy-by-default.patch
 Patch3: freeradius-bootstrap-create-only.patch
 Patch4: freeradius-no-buildtime-cert-gen.patch
 Patch5: freeradius-fixes-to-python3-module-since-v3.0.20.patch
+Patch6: freeradius-bootstrap-make-permissions.patch
+Patch7: freeradius-no-dh-param-load-FIPS.patch
+Patch8: freeradius-bootstrap-fixed-dhparam.patch

 %global docdir %{?_pkgdocdir}%{!?_pkgdocdir:%{_docdir}/%{name}-%{version}}

@ -65,7 +69,7 @@ Requires(pre): shadow-utils glibc-common
 Requires(post): systemd-sysv
 Requires(post): systemd-units
 # Needed for certificate generation
-Requires(post): make
+Requires: make
 Requires(preun): systemd-units
 Requires(postun): systemd-units

@ -227,6 +231,12 @@ This plugin provides the REST support for the FreeRADIUS server project.
 %patch3 -p1
 %patch4 -p1
 %patch5 -p1
+%patch6 -p1
+%patch7 -p1
+%patch8 -p1
+
+# Add fixed dhparam file to the source to ensure `make tests` can run.
+cp %{SOURCE105} raddb/certs/rfc3526-group-18-8192.dhparam

 %build
 # Force compile/link options, extra security for network facing daemon
@ -292,6 +302,9 @@ install -d -m 0710 %{buildroot}%{_localstatedir}/run/radiusd/
 install -d -m 0700 %{buildroot}%{_localstatedir}/run/radiusd/tmp
 install -m 0644 %{SOURCE104} %{buildroot}%{_tmpfilesdir}/radiusd.conf

+# Add fixed dhparam file
+install -m 0644 %{SOURCE105} %{buildroot}/%{_sysconfdir}/raddb/certs/rfc3526-group-18-8192.dhparam
+
 # install SNMP MIB files
 mkdir -p $RPM_BUILD_ROOT%{_datadir}/snmp/mibs/
 install -m 644 mibs/*RADIUS*.mib $RPM_BUILD_ROOT%{_datadir}/snmp/mibs/
@ -376,12 +389,6 @@ exit 0

 %post
 %systemd_post radiusd.service
-if [ $1 -eq 1 ]; then           # install
-  # Initial installation
-  if [ ! -e /etc/raddb/certs/server.pem ]; then
-    /sbin/runuser -g radiusd -c 'umask 007; /etc/raddb/certs/bootstrap' > /dev/null 2>&1
-  fi
-fi
 exit 0

 %preun
@ -447,6 +454,7 @@ exit 0
 /etc/raddb/certs/README
 %config(noreplace) /etc/raddb/certs/xpextensions
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/certs/*.cnf
+%attr(640,root,radiusd) %config(noreplace) /etc/raddb/certs/rfc3526-group-18-8192.dhparam
 %attr(750,root,radiusd) /etc/raddb/certs/bootstrap

 # mods-config
@ -876,6 +884,16 @@ exit 0
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/rest

 %changelog
+* Thu Aug 06 2020 Alexander Scheel <ascheel@redhat.com> - 3.0.20-3
+- Require make for proper bootstrap execution, removes post script
+  Resolves: bz#1672285
+
+* Wed Aug 05 2020 Alexander Scheel <ascheel@redhat.com> - 3.0.20-2
+- Fix breakage caused by OpenSSL FIPS regression
+  Related: bz#1855822
+  Related: bz#1810911
+  Resolves: bz#1672285
+
 * Mon Jun 08 2020 Alexander Scheel <ascheel@redhat.com> - 3.0.20-1
 - Update to FreeRADIUS server version 3.0.20
 - Introduce Python 3 support; resolves: bz#1623069