rpms/freeradius
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Import rpm: f5c254fdd9f2279858ae11c7b9e7e625a976c1dd

Browse Source
This commit is contained in:
James Antill 2022-08-08 12:27:54 -04:00
commit 5417f8ef36
35 changed files with 17288 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
SOURCES/freeradius-server-3.0.20.tar.bz2

60
freeradius-Adjust-configuration-to-fit-Red-Hat-specifics.patch Normal file
View File

@ -0,0 +1,60 @@
From 958f470cda2ba8943f02f13d1b46f357f92d9639 Mon Sep 17 00:00:00 2001
From: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
Date: Mon, 8 Sep 2014 12:32:13 +0300
Subject: [PATCH] Adjust configuration to fit Red Hat specifics
---
raddb/mods-available/eap | 4 ++--
raddb/radiusd.conf.in | 7 +++----
2 files changed, 5 insertions(+), 6 deletions(-)
diff --git a/raddb/mods-available/eap b/raddb/mods-available/eap
index 2621e183c..94494b2c6 100644
--- a/raddb/mods-available/eap
+++ b/raddb/mods-available/eap
@@ -533,7 +533,7 @@
# You should also delete all of the files
# in the directory when the server starts.
#
- # tmpdir = /tmp/radiusd
+ # tmpdir = /var/run/radiusd/tmp
# The command used to verify the client cert.
# We recommend using the OpenSSL command-line
@@ -548,7 +548,7 @@
# deleted by the server when the command
# returns.
#
- # client = "/path/to/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}"
+ # client = "/usr/bin/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}"
}
# OCSP Configuration
diff --git a/raddb/radiusd.conf.in b/raddb/radiusd.conf.in
index a83c1f687..e500cf97b 100644
--- a/raddb/radiusd.conf.in
+++ b/raddb/radiusd.conf.in
@@ -70,8 +70,7 @@ certdir = ${confdir}/certs
cadir = ${confdir}/certs
run_dir = ${localstatedir}/run/${name}
-# Should likely be ${localstatedir}/lib/radiusd
-db_dir = ${raddbdir}
+db_dir = ${localstatedir}/lib/radiusd
#
# libdir: Where to find the rlm_* modules.
@@ -398,8 +397,8 @@ security {
# member. This can allow for some finer-grained access
# controls.
#
-# user = radius
-# group = radius
+ user = radiusd
+ group = radiusd
# Core dumps are a bad thing. This should only be set to
# 'yes' if you're debugging a problem with the server.
--
2.13.2

11553
freeradius-Backport-OpenSSL3-fixes.patch Normal file
View File

File diff suppressed because it is too large Load Diff

39
freeradius-FIPS-exit-if-md5-not-allowed.patch Normal file
View File

@ -0,0 +1,39 @@
Author: Antonio Torres <antorres@redhat.com>
Date: Fri Jul 2 07:12:48 2021 -0400
Subject: [PATCH] exit if host in FIPS mode and MD5 not explicitly allowed
FIPS does not allow MD5, which FreeRADIUS needs to work. The user should
explicitly allow MD5 usage by setting the RADIUS_MD5_FIPS_OVERRIDE environment
variable to 1 or else FR should exit at start.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1958979
Signed-off-by: Antonio Torres antorres@redhat.com
---
src/main/radiusd.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/src/main/radiusd.c b/src/main/radiusd.c
index 9739514509..58a48895e6 100644
--- a/src/main/radiusd.c
+++ b/src/main/radiusd.c
@@ -298,6 +298,20 @@ int main(int argc, char *argv[])
exit(EXIT_FAILURE);
}
+ /*
+ * If host is in FIPS mode, we need the user to explicitly allow MD5 usage.
+ */
+ char *fips_md5_override = getenv("RADIUS_MD5_FIPS_OVERRIDE");
+ FILE *fips_file = fopen("/proc/sys/crypto/fips_enabled", "r");
+ if (fips_file != NULL) {
+ int fips_enabled = fgetc(fips_file) - '0';
+ fclose(fips_file);
+ if (fips_enabled == 1 && (fips_md5_override == NULL || atoi(fips_md5_override) != 1)) {
+ fprintf(stderr, "Cannot run FreeRADIUS in FIPS mode because it uses MD5. To allow MD5 usage, set RADIUS_MD5_FIPS_OVERRIDE=1 before starting FreeRADIUS.\n");
+ exit(EXIT_FAILURE);
+ }
+ }
+
/*
* According to the talloc peeps, no two threads may modify any part of
* a ctx tree with a common root without synchronisation.

32
freeradius-Fix-resource-hard-limit-error.patch Normal file
View File

@ -0,0 +1,32 @@
commit 1ce4508c92493cf03ea1b3c42e83540b387884fa
Author: Antonio Torres <antorres@redhat.com>
Date: Fri Jul 2 07:12:48 2021 -0400
Subject: [PATCH] debug: don't set resource hard limit to zero
Setting the resource hard limit to zero is irreversible, meaning if it
is set to zero then there is no way to set it higher. This means
enabling core dump is not possible, since setting a new resource limit
for RLIMIT_CORE would fail. By only setting the soft limit to zero, we
can disable and enable core dumps without failures.
This fix is present in both main and 3.0.x upstream branches.
Ticket in RHEL Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1977572
Signed-off-by: Antonio Torres antorres@redhat.com
---
src/lib/debug.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/lib/debug.c b/src/lib/debug.c
index 576bcb2a65..6330c9cb66 100644
--- a/src/lib/debug.c
+++ b/src/lib/debug.c
@@ -599,7 +599,7 @@ int fr_set_dumpable(bool allow_core_dumps)
struct rlimit no_core;
no_core.rlim_cur = 0;
- no_core.rlim_max = 0;
+ no_core.rlim_max = core_limits.rlim_max;
if (setrlimit(RLIMIT_CORE, &no_core) < 0) {
fr_strerror_printf("Failed disabling core dumps: %s", fr_syserror(errno));

51
freeradius-Fix-segfault-when-home_server-is-null.patch Normal file
View File

@ -0,0 +1,51 @@
From e2de6fab148e800380f1929fe4ea88a38de42053 Mon Sep 17 00:00:00 2001
From: "Alan T. DeKok" <aland@freeradius.org>
Date: Wed, 20 Nov 2019 13:59:54 -0500
Subject: [PATCH] a better fix for commit 30ffd21
Which still runs post-proxy-type fail if all of the home servers
are dead
[antorres@redhat.com: solved in FR 3.0.21, resolves bz#2030173]
[antorres@redhat.com: removed first hunk of commit, already present]
---
src/main/process.c | 9 +++------
1 file changed, 3 insertions(+), 6 deletions(-)
diff --git a/src/main/process.c b/src/main/process.c
index c8b3af24e2..1a48517d43 100644
--- a/src/main/process.c
+++ b/src/main/process.c
@@ -2475,13 +2474,12 @@ static int process_proxy_reply(REQUEST *request, RADIUS_PACKET *reply)
}
old_server = request->server;
- rad_assert(request->home_server != NULL);
/*
* If the home server is virtual, just run pre_proxy from
* that section.
*/
- if (request->home_server->server) {
+ if (request->home_server && request->home_server->server) {
request->server = request->home_server->server;
} else {
@@ -3182,13 +3180,12 @@ do_home:
}
old_server = request->server;
- rad_assert(request->home_server != NULL);
/*
* If the home server is virtual, just run pre_proxy from
* that section.
*/
- if (request->home_server->server) {
+ if (request->home_server && request->home_server->server) {
request->server = request->home_server->server;
} else {
--
2.31.1

41
freeradius-Fix-unterminated-strings-in-SQL-queries.patch Normal file
View File

@ -0,0 +1,41 @@
From 3fd832baf898fe6d6f974cd2d36d1c5206bc2209 Mon Sep 17 00:00:00 2001
From: Antonio Torres <antorres@redhat.com>
Date: Fri, 12 Nov 2021 16:23:05 +0100
Subject: [PATCH] Fix unterminated strings in SQL queries
Resolves: bz#2021247
Signed-off-by: Antonio Torres <antorres@redhat.com>
---
raddb/mods-config/sql/ippool/mysql/queries.conf | 2 +-
raddb/mods-config/sql/ippool/sqlite/queries.conf | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/raddb/mods-config/sql/ippool/mysql/queries.conf b/raddb/mods-config/sql/ippool/mysql/queries.conf
index 2dfc6574dd..444812a047 100644
--- a/raddb/mods-config/sql/ippool/mysql/queries.conf
+++ b/raddb/mods-config/sql/ippool/mysql/queries.conf
@@ -114,7 +114,7 @@ allocate_update = "\
nasipaddress = '%{NAS-IP-Address}', pool_key = '${pool_key}', \
callingstationid = '%{Calling-Station-Id}', \
username = '%{User-Name}', expiry_time = NOW() + INTERVAL ${lease_duration} SECOND \
- WHERE framedipaddress = '%I'
+ WHERE framedipaddress = '%I'"
#
# Use a stored procedure to find AND allocate the address. Read and customise
diff --git a/raddb/mods-config/sql/ippool/sqlite/queries.conf b/raddb/mods-config/sql/ippool/sqlite/queries.conf
index 31a5df3659..e92466108b 100644
--- a/raddb/mods-config/sql/ippool/sqlite/queries.conf
+++ b/raddb/mods-config/sql/ippool/sqlite/queries.conf
@@ -89,7 +89,7 @@ allocate_update = "\
callingstationid = '%{Calling-Station-Id}', \
username = '%{User-Name}', \
expiry_time = datetime(strftime('%%s', 'now') + ${lease_duration}, 'unixepoch') \
- WHERE framedipaddress = '%I'
+ WHERE framedipaddress = '%I'"
#
# This series of queries frees an IP number when an accounting START record arrives
--
2.31.1

86
freeradius-Use-system-crypto-policy-by-default.patch Normal file
View File

@ -0,0 +1,86 @@
From a7ed62fbcc043a9ec7a4f09962a2cd2acffa019b Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Wed, 8 May 2019 10:16:31 -0400
Subject: [PATCH] Use system-provided crypto-policies by default
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
raddb/mods-available/eap | 4 ++--
raddb/mods-available/inner-eap | 2 +-
raddb/sites-available/abfab-tls | 2 +-
raddb/sites-available/tls | 4 ++--
4 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/raddb/mods-available/eap b/raddb/mods-available/eap
index 36849e10f2..b28c0f19c6 100644
--- a/raddb/mods-available/eap
+++ b/raddb/mods-available/eap
@@ -368,7 +368,7 @@ eap {
#
# For EAP-FAST, use "ALL:!EXPORT:!eNULL:!SSLv2"
#
- cipher_list = "DEFAULT"
+ cipher_list = "PROFILE=SYSTEM"
# If enabled, OpenSSL will use server cipher list
# (possibly defined by cipher_list option above)
@@ -912,7 +912,7 @@ eap {
# Note - for OpenSSL 1.1.0 and above you may need
# to add ":@SECLEVEL=0"
#
- # cipher_list = "ALL:!EXPORT:!eNULL:!SSLv2"
+ # cipher_list = "PROFILE=SYSTEM"
# PAC lifetime in seconds (default: seven days)
#
diff --git a/raddb/mods-available/inner-eap b/raddb/mods-available/inner-eap
index 576eb7739e..ffa07188e2 100644
--- a/raddb/mods-available/inner-eap
+++ b/raddb/mods-available/inner-eap
@@ -77,7 +77,7 @@ eap inner-eap {
# certificates. If so, edit this file.
ca_file = ${cadir}/ca.pem
- cipher_list = "DEFAULT"
+ cipher_list = "PROFILE=SYSTEM"
# You may want to set a very small fragment size.
# The TLS data here needs to go inside of the
diff --git a/raddb/sites-available/abfab-tls b/raddb/sites-available/abfab-tls
index 92f1d6330e..cd69b3905a 100644
--- a/raddb/sites-available/abfab-tls
+++ b/raddb/sites-available/abfab-tls
@@ -19,7 +19,7 @@ listen {
dh_file = ${certdir}/dh
fragment_size = 8192
ca_path = ${cadir}
- cipher_list = "DEFAULT"
+ cipher_list = "PROFILE=SYSTEM"
cache {
enable = no
diff --git a/raddb/sites-available/tls b/raddb/sites-available/tls
index bbc761b1c5..83cd35b851 100644
--- a/raddb/sites-available/tls
+++ b/raddb/sites-available/tls
@@ -215,7 +215,7 @@ listen {
# Set this option to specify the allowed
# TLS cipher suites. The format is listed
# in "man 1 ciphers".
- cipher_list = "DEFAULT"
+ cipher_list = "PROFILE=SYSTEM"
# If enabled, OpenSSL will use server cipher list
# (possibly defined by cipher_list option above)
@@ -517,7 +517,7 @@ home_server tls {
# Set this option to specify the allowed
# TLS cipher suites. The format is listed
# in "man 1 ciphers".
- cipher_list = "DEFAULT"
+ cipher_list = "PROFILE=SYSTEM"
}
}
--
2.21.0

91
freeradius-bootstrap-create-only.patch Normal file
View File

@ -0,0 +1,91 @@
From 3f40655ad0708b74a4a41b13c2b21995b157c14d Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Wed, 5 Aug 2020 15:53:45 -0400
Subject: [PATCH] Don't clobber existing files on bootstrap
Rebased: v3.0.20
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
raddb/certs/bootstrap | 35 +++++++++++++++++++----------------
1 file changed, 19 insertions(+), 16 deletions(-)
diff --git a/raddb/certs/bootstrap b/raddb/certs/bootstrap
index 0f719aa..336a2bd 100755
--- a/raddb/certs/bootstrap
+++ b/raddb/certs/bootstrap
@@ -31,52 +31,55 @@ fi
# Don't edit the following text. Instead, edit the Makefile, and
# re-generate these commands.
#
-if [ ! -f dh ]; then
+if [ ! -e dh ]; then
openssl dhparam -out dh 2048 || exit 1
- if [ -e /dev/urandom ] ; then
- ln -sf /dev/urandom random
- else
- date > ./random;
- fi
+ ln -sf /dev/urandom random
fi
-if [ ! -f server.key ]; then
+if [ ! -e server.key ]; then
openssl req -new -out server.csr -keyout server.key -config ./server.cnf || exit 1
+ chmod g+r server.key
fi
-if [ ! -f ca.key ]; then
+if [ ! -e ca.key ]; then
openssl req -new -x509 -keyout ca.key -out ca.pem -days `grep default_days ca.cnf | sed 's/.*=//;s/^ *//'` -config ./ca.cnf || exit 1
fi
-if [ ! -f index.txt ]; then
+if [ ! -e index.txt ]; then
touch index.txt
fi
-if [ ! -f serial ]; then
+if [ ! -e serial ]; then
echo '01' > serial
fi
-if [ ! -f server.crt ]; then
+if [ ! -e server.crt ]; then
openssl ca -batch -keyfile ca.key -cert ca.pem -in server.csr -key `grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out server.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf || exit 1
fi
-if [ ! -f server.p12 ]; then
+if [ ! -e server.p12 ]; then
openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` || exit 1
+ chmod g+r server.p12
fi
-if [ ! -f server.pem ]; then
+if [ ! -e server.pem ]; then
openssl pkcs12 -in server.p12 -out server.pem -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` || exit 1
openssl verify -CAfile ca.pem server.pem || exit 1
+ chmod g+r server.pem
fi
-if [ ! -f ca.der ]; then
+if [ ! -e ca.der ]; then
openssl x509 -inform PEM -outform DER -in ca.pem -out ca.der || exit 1
fi
-if [ ! -f client.key ]; then
+if [ ! -e client.key ]; then
openssl req -new -out client.csr -keyout client.key -config ./client.cnf
+ chmod g+r client.key
fi
-if [ ! -f client.crt ]; then
+if [ ! -e client.crt ]; then
openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key `grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf
fi
+
+chown root:radiusd dh ca.* client.* server.*
+chmod 640 dh ca.* client.* server.*
--
2.26.2

52
freeradius-bootstrap-fixed-dhparam.patch Normal file
View File

@ -0,0 +1,52 @@
From b31f1ab9a0e1c010037d2d660e3ce4ea7eb07d6c Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Wed, 5 Aug 2020 16:10:52 -0400
Subject: [PATCH] Use fixed FIPS-approved dhparam by default
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
raddb/certs/Makefile | 2 +-
raddb/certs/bootstrap | 7 +++++--
2 files changed, 6 insertions(+), 3 deletions(-)
diff --git a/raddb/certs/Makefile b/raddb/certs/Makefile
index 5cbfd46..41b7aea 100644
--- a/raddb/certs/Makefile
+++ b/raddb/certs/Makefile
@@ -59,7 +59,7 @@ passwords.mk: server.cnf ca.cnf client.cnf inner-server.cnf
#
######################################################################
dh:
- $(OPENSSL) dhparam -out dh -2 $(DH_KEY_SIZE)
+ cp rfc3526-group-18-8192.dhparam dh
######################################################################
#
diff --git a/raddb/certs/bootstrap b/raddb/certs/bootstrap
index 9920ecf..59b3310 100755
--- a/raddb/certs/bootstrap
+++ b/raddb/certs/bootstrap
@@ -13,6 +13,10 @@
umask 027
cd `dirname $0`
+if [ ! -e random ]; then
+ ln -sf /dev/urandom random
+fi
+
make -h > /dev/null 2>&1
#
@@ -35,8 +39,7 @@ fi
# re-generate these commands.
#
if [ ! -e dh ]; then
- openssl dhparam -out dh 2048 || exit 1
- ln -sf /dev/urandom random
+ cp rfc3526-group-18-8192.dhparam dh
fi
if [ ! -e server.key ]; then
--
2.26.2

29
freeradius-bootstrap-make-permissions.patch Normal file
View File

@ -0,0 +1,29 @@
From ea164ceafa05f96079204a3f0ae379e46e64a455 Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Tue, 4 Aug 2020 10:08:15 -0400
Subject: [PATCH] Fix permissions after generating certificates with make
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
raddb/certs/bootstrap | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/raddb/certs/bootstrap b/raddb/certs/bootstrap
index 336a2bd..9920ecf 100755
--- a/raddb/certs/bootstrap
+++ b/raddb/certs/bootstrap
@@ -21,7 +21,10 @@ make -h > /dev/null 2>&1
#
if [ "$?" = "0" ]; then
make all
- exit $?
+ ret=$?
+ chown root:radiusd dh ca.* client.* server.*
+ chmod 640 dh ca.* client.* server.*
+ exit $ret
fi
#
--
2.26.2

136
freeradius-bootstrap-pass-noenc-to-certificate-generation.patch Normal file
View File

@ -0,0 +1,136 @@
From e089777942552c4fe3e58aa328566e7bb745dbf8 Mon Sep 17 00:00:00 2001
From: Antonio Torres <antorres@redhat.com>
Date: Fri, 22 Apr 2022 12:27:43 +0200
Subject: [PATCH] bootstrap: pass -noenc to certificate generation
Bootstrap script would fail to generate certificates if run on systems
with FIPS enabled. By passing the -noenc option, we can skip the usage
of unsupported algorithms on these systems.
After generating the certificates, correct permissions are set.
Signed-off-by: Antonio Torres <antorres@redhat.com>
[antorres@redhat.com]: patch adapted to work together with freeradius-bootstrap-create-only.patch.
In bootstrap diff, -f is changed to -e in conditionals.
---
raddb/certs/Makefile | 20 ++++++++++++++++----
raddb/certs/bootstrap | 6 +++---
2 files changed, 19 insertions(+), 7 deletions(-)
diff --git a/raddb/certs/Makefile b/raddb/certs/Makefile
index 5cbfd467ce..cb10394ec3 100644
--- a/raddb/certs/Makefile
+++ b/raddb/certs/Makefile
@@ -60,6 +60,8 @@ passwords.mk: server.cnf ca.cnf client.cnf inner-server.cnf
######################################################################
dh:
$(OPENSSL) dhparam -out dh -2 $(DH_KEY_SIZE)
+ chown root:radiusd dh
+ chmod 640 dh
######################################################################
#
@@ -71,8 +73,10 @@ ca.key ca.pem: ca.cnf
@[ -f serial ] || $(MAKE) serial
$(OPENSSL) req -new -x509 -keyout ca.key -out ca.pem \
-days $(CA_DEFAULT_DAYS) -config ./ca.cnf \
- -passin pass:$(PASSWORD_CA) -passout pass:$(PASSWORD_CA)
+ -passin pass:$(PASSWORD_CA) -passout pass:$(PASSWORD_CA) -noenc
chmod g+r ca.key
+ chown root:radiusd ca.*
+ chmod 640 ca.*
ca.der: ca.pem
$(OPENSSL) x509 -inform PEM -outform DER -in ca.pem -out ca.der
@@ -81,6 +85,8 @@ ca.crl: ca.pem
$(OPENSSL) ca -gencrl -keyfile ca.key -cert ca.pem -config ./ca.cnf -out ca-crl.pem -key $(PASSWORD_CA)
$(OPENSSL) crl -in ca-crl.pem -outform der -out ca.crl
rm ca-crl.pem
+ chown root:radiusd ca.*
+ chmod 640 ca.*
######################################################################
#
@@ -88,7 +94,7 @@ ca.crl: ca.pem
#
######################################################################
server.csr server.key: server.cnf
- $(OPENSSL) req -new -out server.csr -keyout server.key -config ./server.cnf
+ $(OPENSSL) req -new -out server.csr -keyout server.key -config ./server.cnf -noenc
chmod g+r server.key
server.crt: server.csr ca.key ca.pem
@@ -101,6 +107,8 @@ server.p12: server.crt
server.pem: server.p12
$(OPENSSL) pkcs12 -in server.p12 -out server.pem -passin pass:$(PASSWORD_SERVER) -passout pass:$(PASSWORD_SERVER)
chmod g+r server.pem
+ chown root:radiusd server.*
+ chmod 640 server.*
.PHONY: server.vrfy
server.vrfy: ca.pem
@@ -113,7 +121,7 @@ server.vrfy: ca.pem
#
######################################################################
client.csr client.key: client.cnf
- $(OPENSSL) req -new -out client.csr -keyout client.key -config ./client.cnf
+ $(OPENSSL) req -new -out client.csr -keyout client.key -config ./client.cnf -noenc
chmod g+r client.key
client.crt: client.csr ca.pem ca.key
@@ -127,6 +135,8 @@ client.pem: client.p12
$(OPENSSL) pkcs12 -in client.p12 -out client.pem -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)
chmod g+r client.pem
cp client.pem $(USER_NAME).pem
+ chown root:radiusd client.*
+ chmod 640 client.*
.PHONY: client.vrfy
client.vrfy: ca.pem client.pem
@@ -139,7 +149,7 @@ client.vrfy: ca.pem client.pem
#
######################################################################
inner-server.csr inner-server.key: inner-server.cnf
- $(OPENSSL) req -new -out inner-server.csr -keyout inner-server.key -config ./inner-server.cnf
+ $(OPENSSL) req -new -out inner-server.csr -keyout inner-server.key -config ./inner-server.cnf -noenc
chmod g+r inner-server.key
inner-server.crt: inner-server.csr ca.key ca.pem
@@ -152,6 +162,8 @@ inner-server.p12: inner-server.crt
inner-server.pem: inner-server.p12
$(OPENSSL) pkcs12 -in inner-server.p12 -out inner-server.pem -passin pass:$(PASSWORD_INNER) -passout pass:$(PASSWORD_INNER)
chmod g+r inner-server.pem
+ chown root:radiusd inner-server.*
+ chmod 640 inner-server.*
.PHONY: inner-server.vrfy
inner-server.vrfy: ca.pem
diff --git a/raddb/certs/bootstrap b/raddb/certs/bootstrap
index 57de8cf0d7..c258ec45e0 100755
--- a/raddb/certs/bootstrap
+++ b/raddb/certs/bootstrap
@@ -41,12 +41,12 @@ if [ ! -f dh ]; then
fi
if [ ! -e server.key ]; then
- openssl req -new -out server.csr -keyout server.key -config ./server.cnf || exit 1
+ openssl req -new -out server.csr -keyout server.key -config ./server.cnf -noenc || exit 1
chmod g+r server.key
fi
if [ ! -e ca.key ]; then
- openssl req -new -x509 -keyout ca.key -out ca.pem -days `grep default_days ca.cnf | sed 's/.*=//;s/^ *//'` -config ./ca.cnf || exit 1
+ openssl req -new -x509 -keyout ca.key -out ca.pem -days `grep default_days ca.cnf | sed 's/.*=//;s/^ *//'` -config ./ca.cnf -noenc || exit 1
fi
if [ ! -e index.txt ]; then
@@ -77,7 +77,7 @@ if [ ! -f ca.der ]; then
fi
if [ ! -e client.key ]; then
- openssl req -new -out client.csr -keyout client.key -config ./client.cnf
+ openssl req -new -out client.csr -keyout client.key -config ./client.cnf -noenc
chmod g+r client.key
fi

72
freeradius-bootstrap-run-only-once.patch Normal file
View File

@ -0,0 +1,72 @@
Author: Antonio Torres <antorres@redhat.com>
Date: Wed Jul 20 2021
Subject: [PATCH] ensure bootstrap script is run only once
The bootstrap script should only run once. By checking if there are
certificates in the directory, we can exit early if certificates were
already generated.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1954521
Signed-off-by: Antonio Torres antorres@redhat.com
---
raddb/certs/README | 16 ++++++----------
raddb/certs/bootstrap | 18 ++++++++++++------
2 files changed, 18 insertions(+), 16 deletions(-)
diff --git a/raddb/certs/README b/raddb/certs/README
index 6288921da1..32413964dd 100644
--- a/raddb/certs/README
+++ b/raddb/certs/README
@@ -29,17 +29,13 @@ the "ca_file", you permit them to masquerade as you, to authenticate
your users, and to issue client certificates for EAP-TLS.
If FreeRADIUS was configured to use OpenSSL, then simply starting
-the server in root in debugging mode should also create test
-certificates, i.e.:
+the server in root mode should also create test certificates.
-$ radiusd -X
-
- That will cause the EAP-TLS module to run the "bootstrap" script in
-this directory. The script will be executed only once, the first time
-the server has been installed on a particular machine. This bootstrap
-script SHOULD be run on installation of any pre-built binary package
-for your OS. In any case, the script will ensure that it is not run
-twice, and that it does not over-write any existing certificates.
+ The start of FreeRADIUS will cause to run the "bootstrap" script.
+The script will be executed during every start of FreeRADIUS via systemd but
+the script will ensure that it does not overwrite any existing certificates.
+Ideally, the bootstrap script file should be deleted after new testing certificates
+have been generated.
If you already have CA and server certificates, rename (or delete)
this directory, and create a new "certs" directory containing your
diff --git a/raddb/certs/bootstrap b/raddb/certs/bootstrap
index 0f719aafd4..92254dc936 100755
--- a/raddb/certs/bootstrap
+++ b/raddb/certs/bootstrap
@@ -1,12 +1,18 @@
#!/bin/sh
#
-# This is a wrapper script to create default certificates when the
-# server first starts in debugging mode. Once the certificates have been
-# created, this file should be deleted.
+# Bootstrap script should be run only once. If there are already certificates
+# generated, skip the execution.
+#
+cd `dirname $0`
+if [ $(ls -l *.{pem,crt,key} 2>/dev/null | wc -l) != 0 ]; then
+ exit 0
+fi
+
#
-# Ideally, this program should be run as part of the installation of any
-# binary package. The installation should also ensure that the permissions
-# and owners are correct for the files generated by this script.
+# This is a wrapper script to create default certificates when the
+# server starts via systemd. It should also ensure that the
+# permissions and owners are correct for the generated files. Once
+# the certificates have been created, this file should be deleted.
#
# $Id: 0f719aafd4c9abcdefbf547dedb6e7312c535104 $
#

1955
freeradius-fixes-to-python3-module-since-v3.0.20.patch Normal file
View File

File diff suppressed because it is too large Load Diff

31
freeradius-ldap-infinite-timeout-on-starttls.patch Normal file
View File

@ -0,0 +1,31 @@
From: Antonio Torres <antorres@redhat.com>
Date: Fri, 28 Jan 2022
Subject: Use infinite timeout when using LDAP+start-TLS
This will ensure that the TLS connection to the LDAP server will complete
before starting FreeRADIUS, as it forces libldap to use a blocking socket during
the process. Infinite timeout is the OpenLDAP default.
Avoids this: https://git.openldap.org/openldap/openldap/-/blob/87ffc60006298069a5a044b8e63dab27a61d3fdf/libraries/libldap/tls2.c#L1134
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1992551
Signed-off-by: Antonio Torres <antorres@redhat.com>
---
src/modules/rlm_ldap/ldap.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/src/modules/rlm_ldap/ldap.c b/src/modules/rlm_ldap/ldap.c
index cf7a84e069..841bf888a1 100644
--- a/src/modules/rlm_ldap/ldap.c
+++ b/src/modules/rlm_ldap/ldap.c
@@ -1472,7 +1472,10 @@ void *mod_conn_create(TALLOC_CTX *ctx, void *instance)
}
#ifdef LDAP_OPT_NETWORK_TIMEOUT
- if (inst->net_timeout) {
+ bool using_tls = inst->start_tls ||
+ inst->port == 636 ||
+ strncmp(inst->server, "ldaps://", strlen("ldaps://")) == 0;
+ if (inst->net_timeout && !using_tls) {
memset(&tv, 0, sizeof(tv));
tv.tv_sec = inst->net_timeout;

57
freeradius-logrotate Normal file
View File

@ -0,0 +1,57 @@
# You can use this to rotate the /var/log/radius/* files, simply copy
# it to /etc/logrotate.d/radiusd
# There are different detail-rotating strategies you can use. One is
# to write to a single detail file per IP and use the rotate config
# below. Another is to write to a daily detail file per IP with:
# detailfile = ${radacctdir}/%{Client-IP-Address}/%Y%m%d-detail
# (or similar) in radiusd.conf, without rotation. If you go with the
# second technique, you will need another cron job that removes old
# detail files. You do not need to comment out the below for method #2.
/var/log/radius/radacct/*/detail {
monthly
rotate 4
nocreate
missingok
compress
su radiusd radiusd
}
/var/log/radius/checkrad.log {
monthly
rotate 4
create
missingok
compress
su radiusd radiusd
}
/var/log/radius/radius.log {
monthly
rotate 4
create
missingok
compress
su radiusd radiusd
postrotate
/usr/bin/systemctl reload-or-try-restart radiusd
endscript
}
/var/log/radius/radwtmp {
monthly
rotate 4
create
compress
missingok
su radiusd radiusd
}
/var/log/radius/sqltrace.sql {
monthly
rotate 4
create
compress
missingok
su radiusd radiusd
}

93
freeradius-man-Fix-some-typos.patch Normal file
View File

@ -0,0 +1,93 @@
From 285f6f1891e8e8acfeb7281136efdae50dbfbe78 Mon Sep 17 00:00:00 2001
From: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
Date: Fri, 14 Sep 2018 11:53:28 +0300
Subject: [PATCH] man: Fix some typos
---
man/man1/radzap.1 | 4 ++--
man/man5/unlang.5 | 6 +++---
man/man8/radcrypt.8 | 2 +-
man/man8/radiusd.8 | 4 ++--
4 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/man/man1/radzap.1 b/man/man1/radzap.1
index a2d529d064..03b9a43a54 100644
--- a/man/man1/radzap.1
+++ b/man/man1/radzap.1
@@ -1,4 +1,4 @@
-.TH RADZAP 1 "8 April 2005" "" "FreeRadius Daemon"
+.TH RADZAP 1 "8 April 2005" "" "FreeRADIUS Daemon"
.SH NAME
radzap - remove rogue entries from the active sessions database
.SH SYNOPSIS
@@ -17,7 +17,7 @@ radzap - remove rogue entries from the active sessions database
.RB [ \-x ]
\fIserver[:port] secret\fP
.SH DESCRIPTION
-The FreeRadius server can be configured to maintain an active session
+The FreeRADIUS server can be configured to maintain an active session
database in a file called \fIradutmp\fP. Commands like \fBradwho\fP(1)
use this database. Sometimes that database can get out of sync, and
then it might contain rogue entries. \fBradzap\fP can clean up this
diff --git a/man/man5/unlang.5 b/man/man5/unlang.5
index 40db5fa6e7..5f765f1787 100644
--- a/man/man5/unlang.5
+++ b/man/man5/unlang.5
@@ -195,7 +195,7 @@ The <list> can be one of "request", "reply", "proxy-request",
of Version 3, the <list> can be omitted, in which case "request" is
assumed.
-The "control" list is the list of attributes maintainted internally by
+The "control" list is the list of attributes maintained internally by
the server that controls how the server processes the request. Any
attribute that does not go in a packet on the network will generally
be placed in the "control" list.
@@ -397,7 +397,7 @@ Evaluates to true if 'foo' is a non-empty string (single quotes, double
quotes, or back-quoted). Also evaluates to true if 'foo' is a
non-zero number. Note that the language is poorly typed, so the
string "0000" can be interpreted as a numerical zero. This issue can
-be avoided by comparings strings to an empty string, rather than by
+be avoided by comparing strings to an empty string, rather than by
evaluating the string by itself.
If the word 'foo' is not a quoted string, then it can be taken as a
@@ -854,7 +854,7 @@ failover tracking that nothing was done in the current section.
.IP ok
Instructs the server that the request was processed properly. This
keyword can be used to over-ride earlier failures, if the local
-administrator determines that the faiures are not catastrophic.
+administrator determines that the failures are not catastrophic.
.IP reject
Causes the request to be immediately rejected
.SH MODULE RETURN CODES
diff --git a/man/man8/radcrypt.8 b/man/man8/radcrypt.8
index 08336c66f2..2917f60c46 100644
--- a/man/man8/radcrypt.8
+++ b/man/man8/radcrypt.8
@@ -30,7 +30,7 @@ Use a MD5 (Message Digest 5) hash.
Ignored if performing a password check.
.IP "\-c --check"
Perform a validation check on a password hash to verify if it matches
-the plantext password.
+the plaintext password.
.SH EXAMPLES
.nf
diff --git a/man/man8/radiusd.8 b/man/man8/radiusd.8
index 98aef5e1be..2ef5ccf789 100644
--- a/man/man8/radiusd.8
+++ b/man/man8/radiusd.8
@@ -211,11 +211,11 @@ This file is usually static. It defines all the possible RADIUS attributes
used in the other configuration files. You don't have to modify it.
It includes other dictionary files in the same directory.
.IP hints
-Defines certain hints to the radius server based on the users's loginname
+Defines certain hints to the radius server based on the users' loginname
or other attributes sent by the access server. It also provides for
mapping user names (such as Pusername -> username). This provides the
functionality that the \fILivingston 2.0\fP server has as "Prefix" and
-"Suffix" support in the \fIusers\fP file, but is more general. Ofcourse
+"Suffix" support in the \fIusers\fP file, but is more general. Of course
the Livingston way of doing things is also supported, and you can even use
both at the same time (within certain limits).
.IP huntgroups

104
freeradius-no-buildtime-cert-gen.patch Normal file
View File

@ -0,0 +1,104 @@
From e6f7c9d4c2af1cda7760ca8155166bb5d4d541d0 Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Wed, 8 May 2019 12:58:02 -0400
Subject: [PATCH] Don't generate certificates in reproducible builds
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
Make.inc.in | 5 +++++
configure | 4 ++++
configure.ac | 3 +++
raddb/all.mk | 4 ++++
4 files changed, 16 insertions(+)
diff --git a/Make.inc.in b/Make.inc.in
index 0b2cd74de8..8c623cf95c 100644
--- a/Make.inc.in
+++ b/Make.inc.in
@@ -173,3 +173,8 @@ else
TESTBINDIR = ./$(BUILD_DIR)/bin
TESTBIN = ./$(BUILD_DIR)/bin
endif
+
+#
+# With reproducible builds, do not generate certificates during installation
+#
+ENABLE_REPRODUCIBLE_BUILDS = @ENABLE_REPRODUCIBLE_BUILDS@
diff --git a/configure b/configure
index c2c599c92b..3d4403a844 100755
--- a/configure
+++ b/configure
@@ -655,6 +655,7 @@ RUSERS
SNMPWALK
SNMPGET
PERL
+ENABLE_REPRODUCIBLE_BUILDS
openssl_version_check_config
WITH_DHCP
modconfdir
@@ -5586,6 +5587,7 @@ else
fi
+ENABLE_REPRODUCIBLE_BUILDS=yes
# Check whether --enable-reproducible-builds was given.
if test "${enable_reproducible_builds+set}" = set; then :
enableval=$enable_reproducible_builds; case "$enableval" in
@@ -5597,6 +5599,7 @@ $as_echo "#define ENABLE_REPRODUCIBLE_BUILDS 1" >>confdefs.h
;;
*)
reproducible_builds=no
+ ENABLE_REPRODUCIBLE_BUILDS=no
esac
fi
@@ -5604,6 +5607,7 @@ fi
+
CHECKRAD=checkrad
# Extract the first word of "perl", so it can be a program name with args.
set dummy perl; ac_word=$2
diff --git a/configure.ac b/configure.ac
index a7abf0025a..35b013f4af 100644
--- a/configure.ac
+++ b/configure.ac
@@ -619,6 +619,7 @@ AC_SUBST([openssl_version_check_config])
dnl #
dnl # extra argument: --enable-reproducible-builds
dnl #
+ENABLE_REPRODUCIBLE_BUILDS=yes
AC_ARG_ENABLE(reproducible-builds,
[AS_HELP_STRING([--enable-reproducible-builds],
[ensure the build does not change each time])],
@@ -630,8 +631,10 @@ AC_ARG_ENABLE(reproducible-builds,
;;
*)
reproducible_builds=no
+ ENABLE_REPRODUCIBLE_BUILDS=no
esac ]
)
+AC_SUBST(ENABLE_REPRODUCIBLE_BUILDS)
dnl #############################################################
diff --git a/raddb/all.mk b/raddb/all.mk
index c966edd657..c8e976a499 100644
--- a/raddb/all.mk
+++ b/raddb/all.mk
@@ -124,7 +124,11 @@ $(R)$(raddbdir)/users: $(R)$(modconfdir)/files/authorize
ifneq "$(LOCAL_CERT_PRODUCTS)" ""
$(LOCAL_CERT_PRODUCTS):
@echo BOOTSTRAP raddb/certs/
+ifeq "$(ENABLE_REPRODUCIBLE_BUILDS)" "yes"
+ @$(MAKE) -C $(R)$(raddbdir)/certs/ passwords.mk
+else
@$(MAKE) -C $(R)$(raddbdir)/certs/
+endif
# Bootstrap is special
$(R)$(raddbdir)/certs/bootstrap: | raddb/certs/bootstrap $(LOCAL_CERT_PRODUCTS)
--
2.21.0

45
freeradius-no-dh-param-load-FIPS.patch Normal file
View File

@ -0,0 +1,45 @@
From 42693cba452efa00a4848beb1514229149520cc1 Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Wed, 5 Aug 2020 11:39:45 -0400
Subject: [PATCH] Ignore user-provided dhparams in FIPS mode (#3554)
OpenSSL in RHEL 8.3 introduces a breaking change in FIPS mode:
user-provided dhparams will be ignored (and dhparam generation
may fail as well), unless they are on the FIPS approved list of
parameters. However, OpenSSL since v1.1.1 will automatically select
an appropriate DH parameter set anyways, if the user did not provide
any. These will be FIPS approved.
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
src/main/tls.c | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/src/main/tls.c b/src/main/tls.c
index 5809a1bd7d..5e6493333c 100644
--- a/src/main/tls.c
+++ b/src/main/tls.c
@@ -1352,6 +1352,23 @@ static int load_dh_params(SSL_CTX *ctx, char *file)
if (!file) return 0;
+ /*
+ * Prior to trying to load the file, check what OpenSSL will do with it.
+ *
+ * Certain downstreams (such as RHEL) will ignore user-provided dhparams
+ * in FIPS mode, unless the specified parameters are FIPS-approved.
+ * However, since OpenSSL >= 1.1.1 will automatically select parameters
+ * anyways, there's no point in attempting to load them.
+ *
+ * Change suggested by @t8m
+ */
+#if OPENSSL_VERSION_NUMBER >= 0x10101000L
+ if (FIPS_mode() > 0) {
+ WARN(LOG_PREFIX ": Ignoring user-selected DH parameters in FIPS mode. Using defaults.");
+ return 0;
+ }
+#endif
+
if ((bio = BIO_new_file(file, "r")) == NULL) {
ERROR(LOG_PREFIX ": Unable to open DH file - %s", file);
return -1;

6
freeradius-pam-conf Normal file
View File

@ -0,0 +1,6 @@
#%PAM-1.0
auth include password-auth
account required pam_nologin.so
account include password-auth
password include password-auth
session include password-auth

1
freeradius-tmpfiles.conf Normal file
View File

@ -0,0 +1 @@
D /run/radiusd 0710 radiusd radiusd -

2503
freeradius.spec Normal file
View File

File diff suppressed because it is too large Load Diff

3
freeradius.sysusers Normal file
View File

@ -0,0 +1,3 @@
#Type Name ID GECOS Home directory Shell
u radiusd 95 "radiusd user" /var/lib/radiusd /sbin/nologin
g radiusd 95 - - -

6
gating.yaml Normal file
View File

@ -0,0 +1,6 @@
--- !Policy
product_versions:
- rhel-9
decision_context: osci_compose_gate
rules:
- !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.functional}

16
radiusd.service Normal file
View File

@ -0,0 +1,16 @@
[Unit]
Description=FreeRADIUS high performance RADIUS server.
After=syslog.target network-online.target ipa.service dirsrv.target krb5kdc.service mysql.service mariadb.service postgresql.service
[Service]
Type=forking
PIDFile=/var/run/radiusd/radiusd.pid
ExecStartPre=-/bin/chown -R radiusd.radiusd /var/run/radiusd
ExecStartPre=-/bin/sh /etc/raddb/certs/bootstrap
ExecStartPre=/usr/sbin/radiusd -C
ExecStart=/usr/sbin/radiusd -d /etc/raddb
ExecReload=/usr/sbin/radiusd -C
ExecReload=/bin/kill -HUP $MAINPID
[Install]
WantedBy=multi-user.target

24
rfc3526-group-18-8192.pem Normal file
View File

@ -0,0 +1,24 @@
-----BEGIN DH PARAMETERS-----
MIIECAKCBAEA///////////JD9qiIWjCNMTGYouA3BzRKQJOCIpnzHQCC76mOxOb
IlFKCHmONATd75UZs806QxswKwpt8l8UN0/hNW1tUcJF5IW1dmJefsb0TELppjft
awv/XLb0Brft7jhr+1qJn6WunyQRfEsf5kkoZlHs5Fs9wgB8uKFjvwWY2kg2HFXT
mmkWP6j9JM9fg2VdI9yjrZYcYvNWIIVSu57VKQdwlpZtZww1Tkq8mATxdGwIyhgh
fDKQXkYuNs474553LBgOhgObJ4Oi7Aeij7XFXfBvTFLJ3ivL9pVYFxg5lUl86pVq
5RXSJhiY+gUQFXKOWoqqxC2tMxcNBFB6M6hVIavfHLpk7PuFBFjb7wqK6nFXXQYM
fbOXD4Wm4eTHq/WujNsJM9cejJTgSiVhnc7j0iYa0u5r8S/6BtmKCGTYdgJzPshq
ZFIfKxgXeyAMu+EXV3phXWx3CYjAutlG4gjiT6B05asxQ9tb/OD9EI5LgtEgqSEI
ARpyPBKnh+bXiHGaEL26WyaZwycYavTiPBqUaDS2FQvaJYPpyirUTOjbu8LbBN6O
+S6O/BQfvsqmKHxZR05rwF2ZspZPoJDDoiM7oYZRW+ftH2EpcM7i16+4G912IXBI
HNAGkSfVsFqpk7TqmI2P3cGG/7fckKbAj030Nck0AoSSNsP6tNJ8cCbB1NyyYCZG
3sl1HnY9uje9+P+UBq2eUw7l2zgvQTABrrBqU+2QJ9gxF5cnsIZaiRjaPtvrz5sU
7UTObLrO1Lsb238UR+bMJUszIFFRK9evQm+49AE3jNK/WYPKAcZLkuzwMuoV0XId
A/SC185udP721V5wL0aYDIK1qEAxkAscnlnnyX++x+jzI6l6fjbMiL4PHUW3/1ha
xUvUB7IrQVSqzI9tfr9I4dgUzF7SD4A34KeXFe7ym+MoBqHVi7fF2nb1UKo9ih+/
8OsZzLGjE9Vc2lbJ7C7yljI4f+jXbjwEaAQ+j2Y/SGDuEr8tWwt0dNbmlPkebb4R
WXSjkm8S/uXkOHd8tqky34zYvsTQc7kxujvIMraNndMAdB+nv4r8R+0ldvaTa6Qk
ZjqrY5xa5PVoNCO0dCvxyXgjjxbL451lLeP9uL78hIrZIiIuBKQDfAcT61eoGiPw
xzRz/GRs6jBrS8vIhi+Dhd36nUt/osCH6HloMwPtW906Bis89bOieKZtKhP4P0T4
Ld8xDuB0q2o2RZfomaAlXcFk8xzFCEaFHfmrSBld7X6hsdUQvX7nTXP682vDHs+i
aDWQRvTrh5+SQAlDi0gcbNeImgAu1e44K8kZDab8Am5HlVjkR1Z36aqeMFDidlaU
38gfVuiAuW5xYMmA3Zjt09///////////wIBAg==
-----END DH PARAMETERS-----

3
rpminspect.yaml Normal file
View File

@ -0,0 +1,3 @@
---
inspections:
badfuncs: off

1
sources Normal file
View File

@ -0,0 +1 @@
SHA1 (freeradius-server-3.0.20.tar.bz2) = 3dd0e18fa04aff410876309e4322313b700db2b7

36
tests/auth-tests/Makefile Normal file
View File

@ -0,0 +1,36 @@
# SPDX-License-Identifier: LGPL-2.1+
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Makefile of /CoreOS/freeradius
# Description: Test if freeradius authentication workd ok
# Author: Susant Sahani<susant@redhat.com>
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
export TEST=/CoreOS/freeradius
export TESTVERSION=1.0
BUILT_FILES=
FILES=$(METADATA) runtest.sh Makefile PURPOSE
.PHONY: all install download clean
run: $(FILES) build
./runtest.sh
build: $(BUILT_FILES)
test -x runtest.sh || chmod a+x runtest.sh
clean:
rm -f *~ $(BUILT_FILES)
include /usr/share/rhts/lib/rhts-make.include
$(METADATA): Makefile
@echo "Owner: Susant Sahani<susant@redhat.com>" > $(METADATA)
@echo "Name: $(TEST)" >> $(METADATA)
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
@echo "Path: $(TEST_DIR)" >> $(METADATA)
@echo "Description: Test if the ABI hasn't changed" >> $(METADATA)
@echo "Type: Sanity" >> $(METADATA)
@echo "TestTime: 5m" >> $(METADATA)
@echo "RunFor: freeradius" >> $(METADATA)
@echo "Requires: freeradius freeradius-utils python3 python3-psutil" >> $(METADATA)
@echo "Priority: Normal" >> $(METADATA)
@echo "License: GPLv2" >> $(METADATA)
@echo "Confidential: no" >> $(METADATA)
@echo "Destructive: no" >> $(METADATA)
@echo "Releases: -Fedora 28" >> $(METADATA)
rhts-lint $(METADATA)

3
tests/auth-tests/PURPOSE Normal file
View File

@ -0,0 +1,3 @@
PURPOSE of /CoreOS/freeradius
Description: tests for freeradius
Author: Susant Sahani<susant@redhat.com>

2
tests/auth-tests/authorize Normal file
View File

@ -0,0 +1,2 @@
fedora-ci Cleartext-Password := "password"
Reply-Message = "Hello, %{User-Name}"

6
tests/auth-tests/clients.conf Normal file
View File

@ -0,0 +1,6 @@
client localhost {
ipaddr = 127.0.0.1
secret = testing123
require_message_authenticator = no
nastype = other
}

68
tests/auth-tests/freeradius-tests.py Executable file
View File

@ -0,0 +1,68 @@
#!/usr/bin/env python3
# SPDX-License-Identifier: LGPL-2.1+
# ~~~
# Description: Tests for freeradius
#
# Author: Susant Sahani <susant@redhat.com>
# Copyright (c) 2018 Red Hat, Inc.
# ~~~
import errno
import os
import sys
import time
import unittest
import subprocess
import signal
import shutil
import psutil
import socket
RADIUSD_PID_FILE='/var/run/radiusd/radiusd.pid'
def setUpModule():
"""Initialize the environment, and perform sanity checks on it."""
if shutil.which('radiusd') is None:
raise OSError(errno.ENOENT, 'radiusd not found')
if shutil.which('radtest') is None:
raise OSError(errno.ENOENT, 'radtest not found')
if subprocess.call(['systemctl', 'is-active', '--quiet',
'radiusd.service']) == 0:
raise unittest.SkipTest('radiusd.service is already active')
def tearDownModule():
pass
class GenericUtilities():
"""Provide a set of utility functions start stop daemons. write config files etc """
def StartRadiusServer(self):
"""Start radiusd"""
subprocess.check_output(['systemctl', 'start', 'radiusd'])
def StopRadiusServer(self):
"""stop radiusd"""
subprocess.check_output(['systemctl', 'stop', 'radiusd'])
class RadiousTests(unittest.TestCase, GenericUtilities):
def setUp(self):
self.StartRadiusServer()
def tearDown(self):
self.StopRadiusServer()
def test_radius_plaintext_auth(self):
time.sleep(1)
output=subprocess.check_output(['radtest', 'fedora-ci', 'password', '127.0.0.1', '100', 'testing123']).rstrip().decode('utf-8')
print(output)
self.assertRegex(output, "Received Access-Accept")
self.assertRegex(output, "Reply-Message = \"Hello, fedora-ci\"")
if __name__ == '__main__':
unittest.main(testRunner=unittest.TextTestRunner(stream=sys.stdout,
verbosity=3))

70
tests/auth-tests/runtest.sh Executable file
View File

@ -0,0 +1,70 @@
#!/bin/bash
# SPDX-License-Identifier: LGPL-2.1+
# ~~~
# runtest.sh of freeradius
# Description: RADIUS server
#
# Author: Susant Sahani <susant@redhat.com>
# Copyright (c) 2018 Red Hat, Inc.
# ~~~
# Include Beaker environment
. /usr/share/beakerlib/beakerlib.sh || exit 1
PACKAGE="freeradius"
RADIUS_CLIENT_CONF="/etc/raddb/clients.conf"
RADIUD_PALIN_TEXT_AUTH_FILE="/etc/raddb/mods-config/files/authorize"
generate_cert(){
pushd /etc/raddb/certs/
#remove certificates if exists;generate new certificates
if [[ -f /etc/raddb/certs/bootstrap ]]; then
rlLog "Destroy and create new default certificates via bootstrap script"
rm -f *.pem *.der *.csr *.crt *.key *.p12 serial* index.txt* dh
rlRun "sh /etc/raddb/certs/bootstrap" 0 "Gnenerating certificates"
else
rlLogWarning "!!! WARNING bootsrap file does not exist !!!"
rlLog "Destroy and create new default certificates via make scripts"
make destroycerts -C /etc/raddb/certs/
#create new certificates
make -C /etc/raddb/certs/
chown root:radiusd dh ca.* client.* server.*
chmod 640 dh ca.* client.* server.*
fi
popd
}
rlJournalStart
rlPhaseStartSetup
rlAssertRpm $PACKAGE
rlRun "systemctl stop firewalld" 0,5
rlRun "systemctl stop radiusd.service"
rlRun "setenforce 0"
rlFileBackup "$RADIUS_CLIENT_CONF"
rlFileBackup "$RADIUD_PALIN_TEXT_AUTH_FILE"
rlRun "cp freeradius-tests.py /usr/bin/"
rlRun "cp clients.conf $RADIUS_CLIENT_CONF"
rlRun "cp authorize $RADIUD_PALIN_TEXT_AUTH_FILE"
rlRun "systemctl daemon-reload"
#manually generate default certificates
generate_cert
rlPhaseEnd
rlPhaseStartTest
rlLog "Starting radius auth tests ..."
rlRun "/usr/bin/python3 /usr/bin/freeradius-tests.py"
rlPhaseEnd
rlPhaseStartCleanup
rlRun "rm /usr/bin/freeradius-tests.py"
rlRun "systemctl start firewalld" 0,5
rlRun "setenforce 1"
rlFileRestore
rlLog "freeradius tests done"
rlPhaseEnd
rlJournalPrintText
rlJournalEnd
rlGetTestState

12
tests/tests.yml Normal file
View File

@ -0,0 +1,12 @@
- hosts: localhost
roles:
- role: standard-test-beakerlib
tags:
- classic
tests:
- auth-tests
required_packages:
- python3
- systemd
- freeradius
- freeradius-utils