Import rpm: f5c254fdd9f2279858ae11c7b9e7e625a976c1dd

.gitignore

@@ -0,0 +1 @@
+SOURCES/freeradius-server-3.0.20.tar.bz2

freeradius-Adjust-configuration-to-fit-Red-Hat-specifics.patch

@@ -0,0 +1,60 @@
+From 958f470cda2ba8943f02f13d1b46f357f92d9639 Mon Sep 17 00:00:00 2001
+From: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
+Date: Mon, 8 Sep 2014 12:32:13 +0300
+Subject: [PATCH] Adjust configuration to fit Red Hat specifics
+
+---
+ raddb/mods-available/eap | 4 ++--
+ raddb/radiusd.conf.in    | 7 +++----
+ 2 files changed, 5 insertions(+), 6 deletions(-)
+
+diff --git a/raddb/mods-available/eap b/raddb/mods-available/eap
+index 2621e183c..94494b2c6 100644
+--- a/raddb/mods-available/eap
++++ b/raddb/mods-available/eap
+@@ -533,7 +533,7 @@
+ 			#  You should also delete all of the files
+ 			#  in the directory when the server starts.
+ 			#
+-		#	tmpdir = /tmp/radiusd
++		#	tmpdir = /var/run/radiusd/tmp
+ 
+ 			#  The command used to verify the client cert.
+ 			#  We recommend using the OpenSSL command-line
+@@ -548,7 +548,7 @@
+ 			#  deleted by the server when the command
+ 			#  returns.
+ 			#
+-		#	client = "/path/to/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}"
++		#	client = "/usr/bin/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}"
+ 		}
+ 
+ 		#  OCSP Configuration
+diff --git a/raddb/radiusd.conf.in b/raddb/radiusd.conf.in
+index a83c1f687..e500cf97b 100644
+--- a/raddb/radiusd.conf.in
++++ b/raddb/radiusd.conf.in
+@@ -70,8 +70,7 @@ certdir = ${confdir}/certs
+ cadir   = ${confdir}/certs
+ run_dir = ${localstatedir}/run/${name}
+ 
+-# Should likely be ${localstatedir}/lib/radiusd
+-db_dir = ${raddbdir}
++db_dir = ${localstatedir}/lib/radiusd
+ 
+ #
+ # libdir: Where to find the rlm_* modules.
+@@ -398,8 +397,8 @@ security {
+ 	#  member.  This can allow for some finer-grained access
+ 	#  controls.
+ 	#
+-#	user = radius
+-#	group = radius
++	user = radiusd
++	group = radiusd
+ 
+ 	#  Core dumps are a bad thing.  This should only be set to
+ 	#  'yes' if you're debugging a problem with the server.
+-- 
+2.13.2
+

freeradius-FIPS-exit-if-md5-not-allowed.patch

@@ -0,0 +1,39 @@
+Author: Antonio Torres <antorres@redhat.com>
+Date:   Fri Jul 2 07:12:48 2021 -0400
+Subject: [PATCH] exit if host in FIPS mode and MD5 not explicitly allowed
+
+	FIPS does not allow MD5, which FreeRADIUS needs to work. The user should
+	explicitly allow MD5 usage by setting the RADIUS_MD5_FIPS_OVERRIDE environment
+	variable to 1 or else FR should exit at start.
+	
+	Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1958979
+	Signed-off-by: Antonio Torres antorres@redhat.com
+---
+ src/main/radiusd.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/src/main/radiusd.c b/src/main/radiusd.c
+index 9739514509..58a48895e6 100644
+--- a/src/main/radiusd.c
++++ b/src/main/radiusd.c
+@@ -298,6 +298,20 @@ int main(int argc, char *argv[])
+ 		exit(EXIT_FAILURE);
+ 	}
+ 
++	/*
++	 *  If host is in FIPS mode, we need the user to explicitly allow MD5 usage.
++	 */
++	char *fips_md5_override = getenv("RADIUS_MD5_FIPS_OVERRIDE");
++	FILE *fips_file = fopen("/proc/sys/crypto/fips_enabled", "r");
++	if (fips_file != NULL) {
++		int fips_enabled = fgetc(fips_file) - '0';
++		fclose(fips_file);
++		if (fips_enabled == 1 && (fips_md5_override == NULL || atoi(fips_md5_override) != 1)) {
++			fprintf(stderr, "Cannot run FreeRADIUS in FIPS mode because it uses MD5. To allow MD5 usage, set RADIUS_MD5_FIPS_OVERRIDE=1 before starting FreeRADIUS.\n");
++			exit(EXIT_FAILURE);
++		}
++	}
++
+ 	/*
+ 	 *  According to the talloc peeps, no two threads may modify any part of
+ 	 *  a ctx tree with a common root without synchronisation.

freeradius-Fix-resource-hard-limit-error.patch

@@ -0,0 +1,32 @@
+commit 1ce4508c92493cf03ea1b3c42e83540b387884fa
+Author: Antonio Torres <antorres@redhat.com>
+Date:   Fri Jul 2 07:12:48 2021 -0400
+Subject: [PATCH] debug: don't set resource hard limit to zero
+
+    Setting the resource hard limit to zero is irreversible, meaning if it
+    is set to zero then there is no way to set it higher. This means
+    enabling core dump is not possible, since setting a new resource limit
+    for RLIMIT_CORE would fail. By only setting the soft limit to zero, we
+    can disable and enable core dumps without failures.
+
+    This fix is present in both main and 3.0.x upstream branches.
+    
+    Ticket in RHEL Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1977572
+    Signed-off-by: Antonio Torres antorres@redhat.com
+---
+ src/lib/debug.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/lib/debug.c b/src/lib/debug.c
+index 576bcb2a65..6330c9cb66 100644
+--- a/src/lib/debug.c
++++ b/src/lib/debug.c
+@@ -599,7 +599,7 @@ int fr_set_dumpable(bool allow_core_dumps)
+ 		struct rlimit no_core;
+ 
+ 		no_core.rlim_cur = 0;
+-		no_core.rlim_max = 0;
++		no_core.rlim_max = core_limits.rlim_max;
+ 
+ 		if (setrlimit(RLIMIT_CORE, &no_core) < 0) {
+ 			fr_strerror_printf("Failed disabling core dumps: %s", fr_syserror(errno));

freeradius-Fix-segfault-when-home_server-is-null.patch

@@ -0,0 +1,51 @@
+From e2de6fab148e800380f1929fe4ea88a38de42053 Mon Sep 17 00:00:00 2001
+From: "Alan T. DeKok" <aland@freeradius.org>
+Date: Wed, 20 Nov 2019 13:59:54 -0500
+Subject: [PATCH] a better fix for commit 30ffd21
+
+Which still runs post-proxy-type fail if all of the home servers
+are dead
+
+[antorres@redhat.com: solved in FR 3.0.21, resolves bz#2030173]
+[antorres@redhat.com: removed first hunk of commit, already present]
+---
+ src/main/process.c | 9 +++------
+ 1 file changed, 3 insertions(+), 6 deletions(-)
+
+diff --git a/src/main/process.c b/src/main/process.c
+index c8b3af24e2..1a48517d43 100644
+--- a/src/main/process.c
++++ b/src/main/process.c
+@@ -2475,13 +2474,12 @@ static int process_proxy_reply(REQUEST *request, RADIUS_PACKET *reply)
+ 	}
+ 
+ 	old_server = request->server;
+-	rad_assert(request->home_server != NULL);
+ 
+ 	/*
+ 	 *	If the home server is virtual, just run pre_proxy from
+ 	 *	that section.
+ 	 */
+-	if (request->home_server->server) {
++	if (request->home_server && request->home_server->server) {
+ 		request->server = request->home_server->server;
+ 
+ 	} else {
+@@ -3182,13 +3180,12 @@ do_home:
+ 	}
+ 
+ 	old_server = request->server;
+-	rad_assert(request->home_server != NULL);
+ 
+ 	/*
+ 	 *	If the home server is virtual, just run pre_proxy from
+ 	 *	that section.
+ 	 */
+-	if (request->home_server->server) {
++	if (request->home_server && request->home_server->server) {
+ 		request->server = request->home_server->server;
+ 
+ 	} else {
+-- 
+2.31.1
+

freeradius-Fix-unterminated-strings-in-SQL-queries.patch

@@ -0,0 +1,41 @@
+From 3fd832baf898fe6d6f974cd2d36d1c5206bc2209 Mon Sep 17 00:00:00 2001
+From: Antonio Torres <antorres@redhat.com>
+Date: Fri, 12 Nov 2021 16:23:05 +0100
+Subject: [PATCH] Fix unterminated strings in SQL queries
+
+Resolves: bz#2021247
+Signed-off-by: Antonio Torres <antorres@redhat.com>
+---
+ raddb/mods-config/sql/ippool/mysql/queries.conf  | 2 +-
+ raddb/mods-config/sql/ippool/sqlite/queries.conf | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/raddb/mods-config/sql/ippool/mysql/queries.conf b/raddb/mods-config/sql/ippool/mysql/queries.conf
+index 2dfc6574dd..444812a047 100644
+--- a/raddb/mods-config/sql/ippool/mysql/queries.conf
++++ b/raddb/mods-config/sql/ippool/mysql/queries.conf
+@@ -114,7 +114,7 @@ allocate_update = "\
+ 		nasipaddress = '%{NAS-IP-Address}', pool_key = '${pool_key}', \
+ 		callingstationid = '%{Calling-Station-Id}', \
+ 		username = '%{User-Name}', expiry_time = NOW() + INTERVAL ${lease_duration} SECOND \
+-	WHERE framedipaddress = '%I'
++	WHERE framedipaddress = '%I'"
+ 
+ #
+ #  Use a stored procedure to find AND allocate the address. Read and customise
+diff --git a/raddb/mods-config/sql/ippool/sqlite/queries.conf b/raddb/mods-config/sql/ippool/sqlite/queries.conf
+index 31a5df3659..e92466108b 100644
+--- a/raddb/mods-config/sql/ippool/sqlite/queries.conf
++++ b/raddb/mods-config/sql/ippool/sqlite/queries.conf
+@@ -89,7 +89,7 @@ allocate_update = "\
+ 		callingstationid = '%{Calling-Station-Id}', \
+ 		username = '%{User-Name}', \
+ 		expiry_time = datetime(strftime('%%s', 'now') + ${lease_duration}, 'unixepoch') \
+-	WHERE framedipaddress = '%I'
++	WHERE framedipaddress = '%I'"
+ 
+ #
+ #  This series of queries frees an IP number when an accounting START record arrives
+-- 
+2.31.1
+

freeradius-Use-system-crypto-policy-by-default.patch

@@ -0,0 +1,86 @@
+From a7ed62fbcc043a9ec7a4f09962a2cd2acffa019b Mon Sep 17 00:00:00 2001
+From: Alexander Scheel <ascheel@redhat.com>
+Date: Wed, 8 May 2019 10:16:31 -0400
+Subject: [PATCH] Use system-provided crypto-policies by default
+
+Signed-off-by: Alexander Scheel <ascheel@redhat.com>
+---
+ raddb/mods-available/eap        | 4 ++--
+ raddb/mods-available/inner-eap  | 2 +-
+ raddb/sites-available/abfab-tls | 2 +-
+ raddb/sites-available/tls       | 4 ++--
+ 4 files changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/raddb/mods-available/eap b/raddb/mods-available/eap
+index 36849e10f2..b28c0f19c6 100644
+--- a/raddb/mods-available/eap
++++ b/raddb/mods-available/eap
+@@ -368,7 +368,7 @@ eap {
+ 		#
+ 		#  For EAP-FAST, use "ALL:!EXPORT:!eNULL:!SSLv2"
+ 		#
+-		cipher_list = "DEFAULT"
++		cipher_list = "PROFILE=SYSTEM"
+ 
+ 		#  If enabled, OpenSSL will use server cipher list
+ 		#  (possibly defined by cipher_list option above)
+@@ -912,7 +912,7 @@ eap {
+ 		#  Note - for OpenSSL 1.1.0 and above you may need
+ 		#  to add ":@SECLEVEL=0"
+ 		#
+-	#	cipher_list = "ALL:!EXPORT:!eNULL:!SSLv2"
++	#	cipher_list = "PROFILE=SYSTEM"
+ 
+ 		#  PAC lifetime in seconds (default: seven days)
+ 		#
+diff --git a/raddb/mods-available/inner-eap b/raddb/mods-available/inner-eap
+index 576eb7739e..ffa07188e2 100644
+--- a/raddb/mods-available/inner-eap
++++ b/raddb/mods-available/inner-eap
+@@ -77,7 +77,7 @@ eap inner-eap {
+ 		#  certificates.  If so, edit this file.
+ 		ca_file = ${cadir}/ca.pem
+ 
+-		cipher_list = "DEFAULT"
++		cipher_list = "PROFILE=SYSTEM"
+ 
+ 		#  You may want to set a very small fragment size.
+ 		#  The TLS data here needs to go inside of the
+diff --git a/raddb/sites-available/abfab-tls b/raddb/sites-available/abfab-tls
+index 92f1d6330e..cd69b3905a 100644
+--- a/raddb/sites-available/abfab-tls
++++ b/raddb/sites-available/abfab-tls
+@@ -19,7 +19,7 @@ listen {
+ 		dh_file = ${certdir}/dh
+ 		fragment_size = 8192
+ 		ca_path = ${cadir}
+-		cipher_list = "DEFAULT"
++		cipher_list = "PROFILE=SYSTEM"
+ 
+ 		cache {
+ 			enable = no
+diff --git a/raddb/sites-available/tls b/raddb/sites-available/tls
+index bbc761b1c5..83cd35b851 100644
+--- a/raddb/sites-available/tls
++++ b/raddb/sites-available/tls
+@@ -215,7 +215,7 @@ listen {
+ 		# Set this option to specify the allowed
+ 		# TLS cipher suites.  The format is listed
+ 		# in "man 1 ciphers".
+-		cipher_list = "DEFAULT"
++		cipher_list = "PROFILE=SYSTEM"
+ 
+ 		# If enabled, OpenSSL will use server cipher list
+ 		# (possibly defined by cipher_list option above)
+@@ -517,7 +517,7 @@ home_server tls {
+ 		# Set this option to specify the allowed
+ 		# TLS cipher suites.  The format is listed
+ 		# in "man 1 ciphers".
+-		cipher_list = "DEFAULT"
++		cipher_list = "PROFILE=SYSTEM"
+ 	}
+ 
+ }
+-- 
+2.21.0
+

freeradius-bootstrap-create-only.patch

@@ -0,0 +1,91 @@
+From 3f40655ad0708b74a4a41b13c2b21995b157c14d Mon Sep 17 00:00:00 2001
+From: Alexander Scheel <ascheel@redhat.com>
+Date: Wed, 5 Aug 2020 15:53:45 -0400
+Subject: [PATCH] Don't clobber existing files on bootstrap
+
+Rebased: v3.0.20
+
+Signed-off-by: Alexander Scheel <ascheel@redhat.com>
+---
+ raddb/certs/bootstrap | 35 +++++++++++++++++++----------------
+ 1 file changed, 19 insertions(+), 16 deletions(-)
+
+diff --git a/raddb/certs/bootstrap b/raddb/certs/bootstrap
+index 0f719aa..336a2bd 100755
+--- a/raddb/certs/bootstrap
++++ b/raddb/certs/bootstrap
+@@ -31,52 +31,55 @@ fi
+ #  Don't edit the following text.  Instead, edit the Makefile, and
+ #  re-generate these commands.
+ #
+-if [ ! -f dh ]; then
++if [ ! -e dh ]; then
+   openssl dhparam -out dh 2048 || exit 1
+-  if [ -e /dev/urandom ] ; then
+-	ln -sf /dev/urandom random
+-  else
+-	date > ./random;
+-  fi
++  ln -sf /dev/urandom random
+ fi
+ 
+-if [ ! -f server.key ]; then
++if [ ! -e server.key ]; then
+   openssl req -new  -out server.csr -keyout server.key -config ./server.cnf || exit 1
++  chmod g+r server.key
+ fi
+ 
+-if [ ! -f ca.key ]; then
++if [ ! -e ca.key ]; then
+   openssl req -new -x509 -keyout ca.key -out ca.pem -days `grep default_days ca.cnf | sed 's/.*=//;s/^ *//'` -config ./ca.cnf || exit 1
+ fi
+ 
+-if [ ! -f index.txt ]; then
++if [ ! -e index.txt ]; then
+   touch index.txt
+ fi
+ 
+-if [ ! -f serial ]; then
++if [ ! -e serial ]; then
+   echo '01' > serial
+ fi
+ 
+-if [ ! -f server.crt ]; then
++if [ ! -e server.crt ]; then
+   openssl ca -batch -keyfile ca.key -cert ca.pem -in server.csr  -key `grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out server.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf || exit 1
+ fi
+ 
+-if [ ! -f server.p12 ]; then
++if [ ! -e server.p12 ]; then
+   openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12  -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` || exit 1
++  chmod g+r server.p12
+ fi
+ 
+-if [ ! -f server.pem ]; then
++if [ ! -e server.pem ]; then
+   openssl pkcs12 -in server.p12 -out server.pem -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` || exit 1
+   openssl verify -CAfile ca.pem server.pem || exit 1
++  chmod g+r server.pem
+ fi
+ 
+-if [ ! -f ca.der ]; then
++if [ ! -e ca.der ]; then
+   openssl x509 -inform PEM -outform DER -in ca.pem -out ca.der || exit 1
+ fi
+ 
+-if [ ! -f client.key ]; then
++if [ ! -e client.key ]; then
+   openssl req -new  -out client.csr -keyout client.key -config ./client.cnf
++  chmod g+r client.key
+ fi
+ 
+-if [ ! -f client.crt ]; then
++if [ ! -e client.crt ]; then
+   openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr  -key `grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf
+ fi
++
++chown root:radiusd dh ca.* client.* server.*
++chmod 640 dh ca.* client.* server.*
+-- 
+2.26.2
+

freeradius-bootstrap-fixed-dhparam.patch

@@ -0,0 +1,52 @@
+From b31f1ab9a0e1c010037d2d660e3ce4ea7eb07d6c Mon Sep 17 00:00:00 2001
+From: Alexander Scheel <ascheel@redhat.com>
+Date: Wed, 5 Aug 2020 16:10:52 -0400
+Subject: [PATCH] Use fixed FIPS-approved dhparam by default
+
+Signed-off-by: Alexander Scheel <ascheel@redhat.com>
+---
+ raddb/certs/Makefile  | 2 +-
+ raddb/certs/bootstrap | 7 +++++--
+ 2 files changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/raddb/certs/Makefile b/raddb/certs/Makefile
+index 5cbfd46..41b7aea 100644
+--- a/raddb/certs/Makefile
++++ b/raddb/certs/Makefile
+@@ -59,7 +59,7 @@ passwords.mk: server.cnf ca.cnf client.cnf inner-server.cnf
+ #
+ ######################################################################
+ dh:
+-	$(OPENSSL) dhparam -out dh -2 $(DH_KEY_SIZE)
++	cp rfc3526-group-18-8192.dhparam dh
+ 
+ ######################################################################
+ #
+diff --git a/raddb/certs/bootstrap b/raddb/certs/bootstrap
+index 9920ecf..59b3310 100755
+--- a/raddb/certs/bootstrap
++++ b/raddb/certs/bootstrap
+@@ -13,6 +13,10 @@
+ umask 027
+ cd `dirname $0`
+ 
++if [ ! -e random ]; then
++  ln -sf /dev/urandom random
++fi
++
+ make -h > /dev/null 2>&1
+ 
+ #
+@@ -35,8 +39,7 @@ fi
+ #  re-generate these commands.
+ #
+ if [ ! -e dh ]; then
+-  openssl dhparam -out dh 2048 || exit 1
+-  ln -sf /dev/urandom random
++  cp rfc3526-group-18-8192.dhparam dh
+ fi
+ 
+ if [ ! -e server.key ]; then
+-- 
+2.26.2
+

freeradius-bootstrap-make-permissions.patch

@@ -0,0 +1,29 @@
+From ea164ceafa05f96079204a3f0ae379e46e64a455 Mon Sep 17 00:00:00 2001
+From: Alexander Scheel <ascheel@redhat.com>
+Date: Tue, 4 Aug 2020 10:08:15 -0400
+Subject: [PATCH] Fix permissions after generating certificates with make
+
+Signed-off-by: Alexander Scheel <ascheel@redhat.com>
+---
+ raddb/certs/bootstrap | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/raddb/certs/bootstrap b/raddb/certs/bootstrap
+index 336a2bd..9920ecf 100755
+--- a/raddb/certs/bootstrap
++++ b/raddb/certs/bootstrap
+@@ -21,7 +21,10 @@ make -h > /dev/null 2>&1
+ #
+ if [ "$?" = "0" ]; then
+   make all
+-  exit $?
++  ret=$?
++  chown root:radiusd dh ca.* client.* server.*
++  chmod 640 dh ca.* client.* server.*
++  exit $ret
+ fi
+ 
+ #
+-- 
+2.26.2
+

freeradius-bootstrap-pass-noenc-to-certificate-generation.patch

@@ -0,0 +1,136 @@
+From e089777942552c4fe3e58aa328566e7bb745dbf8 Mon Sep 17 00:00:00 2001
+From: Antonio Torres <antorres@redhat.com>
+Date: Fri, 22 Apr 2022 12:27:43 +0200
+Subject: [PATCH] bootstrap: pass -noenc to certificate generation
+
+Bootstrap script would fail to generate certificates if run on systems
+with FIPS enabled. By passing the -noenc option, we can skip the usage
+of unsupported algorithms on these systems.
+
+After generating the certificates, correct permissions are set.
+
+Signed-off-by: Antonio Torres <antorres@redhat.com>
+
+[antorres@redhat.com]: patch adapted to work together with freeradius-bootstrap-create-only.patch.
+In bootstrap diff, -f is changed to -e in conditionals.
+---
+ raddb/certs/Makefile  | 20 ++++++++++++++++----
+ raddb/certs/bootstrap |  6 +++---
+ 2 files changed, 19 insertions(+), 7 deletions(-)
+
+diff --git a/raddb/certs/Makefile b/raddb/certs/Makefile
+index 5cbfd467ce..cb10394ec3 100644
+--- a/raddb/certs/Makefile
++++ b/raddb/certs/Makefile
+@@ -60,6 +60,8 @@ passwords.mk: server.cnf ca.cnf client.cnf inner-server.cnf
+ ######################################################################
+ dh:
+ 	$(OPENSSL) dhparam -out dh -2 $(DH_KEY_SIZE)
++	chown root:radiusd dh
++	chmod 640 dh
+ 
+ ######################################################################
+ #
+@@ -71,8 +73,10 @@ ca.key ca.pem: ca.cnf
+ 	@[ -f serial ] || $(MAKE) serial
+ 	$(OPENSSL) req -new -x509 -keyout ca.key -out ca.pem \
+ 		-days $(CA_DEFAULT_DAYS) -config ./ca.cnf \
+-		-passin pass:$(PASSWORD_CA) -passout pass:$(PASSWORD_CA)
++		-passin pass:$(PASSWORD_CA) -passout pass:$(PASSWORD_CA) -noenc
+ 	chmod g+r ca.key
++	chown root:radiusd ca.*
++	chmod 640 ca.*
+ 
+ ca.der: ca.pem
+ 	$(OPENSSL) x509 -inform PEM -outform DER -in ca.pem -out ca.der
+@@ -81,6 +85,8 @@ ca.crl: ca.pem
+ 	$(OPENSSL) ca -gencrl -keyfile ca.key -cert ca.pem -config ./ca.cnf -out ca-crl.pem -key $(PASSWORD_CA)
+ 	$(OPENSSL) crl -in ca-crl.pem -outform der -out ca.crl
+ 	rm ca-crl.pem
++	chown root:radiusd ca.*
++	chmod 640 ca.*
+ 
+ ######################################################################
+ #
+@@ -88,7 +94,7 @@ ca.crl: ca.pem
+ #
+ ######################################################################
+ server.csr server.key: server.cnf
+-	$(OPENSSL) req -new  -out server.csr -keyout server.key -config ./server.cnf
++	$(OPENSSL) req -new  -out server.csr -keyout server.key -config ./server.cnf -noenc
+ 	chmod g+r server.key
+ 
+ server.crt: server.csr ca.key ca.pem
+@@ -101,6 +107,8 @@ server.p12: server.crt
+ server.pem: server.p12
+ 	$(OPENSSL) pkcs12 -in server.p12 -out server.pem -passin pass:$(PASSWORD_SERVER) -passout pass:$(PASSWORD_SERVER)
+ 	chmod g+r server.pem
++	chown root:radiusd server.*
++	chmod 640 server.*
+ 
+ .PHONY: server.vrfy
+ server.vrfy: ca.pem
+@@ -113,7 +121,7 @@ server.vrfy: ca.pem
+ #
+ ######################################################################
+ client.csr client.key: client.cnf
+-	$(OPENSSL) req -new  -out client.csr -keyout client.key -config ./client.cnf
++	$(OPENSSL) req -new  -out client.csr -keyout client.key -config ./client.cnf -noenc
+ 	chmod g+r client.key
+ 
+ client.crt: client.csr ca.pem ca.key
+@@ -127,6 +135,8 @@ client.pem: client.p12
+ 	$(OPENSSL) pkcs12 -in client.p12 -out client.pem -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)
+ 	chmod g+r client.pem
+ 	cp client.pem $(USER_NAME).pem
++	chown root:radiusd client.*
++	chmod 640 client.*
+ 
+ .PHONY: client.vrfy
+ client.vrfy: ca.pem client.pem
+@@ -139,7 +149,7 @@ client.vrfy: ca.pem client.pem
+ #
+ ######################################################################
+ inner-server.csr inner-server.key: inner-server.cnf
+-	$(OPENSSL) req -new  -out inner-server.csr -keyout inner-server.key -config ./inner-server.cnf
++	$(OPENSSL) req -new  -out inner-server.csr -keyout inner-server.key -config ./inner-server.cnf -noenc
+ 	chmod g+r inner-server.key
+ 
+ inner-server.crt: inner-server.csr ca.key ca.pem
+@@ -152,6 +162,8 @@ inner-server.p12: inner-server.crt
+ inner-server.pem: inner-server.p12
+ 	$(OPENSSL) pkcs12 -in inner-server.p12 -out inner-server.pem -passin pass:$(PASSWORD_INNER) -passout pass:$(PASSWORD_INNER)
+ 	chmod g+r inner-server.pem
++	chown root:radiusd inner-server.*
++	chmod 640 inner-server.*
+ 
+ .PHONY: inner-server.vrfy
+ inner-server.vrfy: ca.pem
+diff --git a/raddb/certs/bootstrap b/raddb/certs/bootstrap
+index 57de8cf0d7..c258ec45e0 100755
+--- a/raddb/certs/bootstrap
++++ b/raddb/certs/bootstrap
+@@ -41,12 +41,12 @@ if [ ! -f dh ]; then
+ fi
+ 
+ if [ ! -e server.key ]; then
+-  openssl req -new  -out server.csr -keyout server.key -config ./server.cnf || exit 1
++  openssl req -new  -out server.csr -keyout server.key -config ./server.cnf -noenc || exit 1
+   chmod g+r server.key
+ fi
+ 
+ if [ ! -e ca.key ]; then
+-  openssl req -new -x509 -keyout ca.key -out ca.pem -days `grep default_days ca.cnf | sed 's/.*=//;s/^ *//'` -config ./ca.cnf || exit 1
++  openssl req -new -x509 -keyout ca.key -out ca.pem -days `grep default_days ca.cnf | sed 's/.*=//;s/^ *//'` -config ./ca.cnf -noenc || exit 1
+ fi
+ 
+ if [ ! -e index.txt ]; then
+@@ -77,7 +77,7 @@ if [ ! -f ca.der ]; then
+ fi
+ 
+ if [ ! -e client.key ]; then
+-  openssl req -new  -out client.csr -keyout client.key -config ./client.cnf
++  openssl req -new  -out client.csr -keyout client.key -config ./client.cnf -noenc
+   chmod g+r client.key
+ fi
+ 

freeradius-bootstrap-run-only-once.patch

@@ -0,0 +1,72 @@
+Author: Antonio Torres <antorres@redhat.com>
+Date:   Wed Jul 20 2021
+Subject: [PATCH] ensure bootstrap script is run only once
+
+	The bootstrap script should only run once. By checking if there are
+	certificates in the directory, we can exit early if certificates were
+	already generated.
+
+	Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1954521
+	Signed-off-by: Antonio Torres antorres@redhat.com
+---
+ raddb/certs/README    | 16 ++++++----------
+ raddb/certs/bootstrap | 18 ++++++++++++------
+ 2 files changed, 18 insertions(+), 16 deletions(-)
+
+diff --git a/raddb/certs/README b/raddb/certs/README
+index 6288921da1..32413964dd 100644
+--- a/raddb/certs/README
++++ b/raddb/certs/README
+@@ -29,17 +29,13 @@ the "ca_file", you permit them to masquerade as you, to authenticate
+ your users, and to issue client certificates for EAP-TLS.
+ 
+   If FreeRADIUS was configured to use OpenSSL, then simply starting
+-the server in root in debugging mode should also create test
+-certificates, i.e.:
++the server in root mode should also create test certificates.
+ 
+-$ radiusd -X
+-
+-  That will cause the EAP-TLS module to run the "bootstrap" script in
+-this directory.  The script will be executed only once, the first time
+-the server has been installed on a particular machine.  This bootstrap
+-script SHOULD be run on installation of any pre-built binary package
+-for your OS.  In any case, the script will ensure that it is not run
+-twice, and that it does not over-write any existing certificates.
++  The start of FreeRADIUS will cause to run the "bootstrap" script.
++The script will be executed during every start of FreeRADIUS via systemd but
++the script will ensure that it does not overwrite any existing certificates.
++Ideally, the bootstrap script file should be deleted after new testing certificates
++have been generated.
+ 
+   If you already have CA and server certificates, rename (or delete)
+ this directory, and create a new "certs" directory containing your
+diff --git a/raddb/certs/bootstrap b/raddb/certs/bootstrap
+index 0f719aafd4..92254dc936 100755
+--- a/raddb/certs/bootstrap
++++ b/raddb/certs/bootstrap
+@@ -1,12 +1,18 @@
+ #!/bin/sh
+ #
+-#  This is a wrapper script to create default certificates when the
+-#  server first starts in debugging mode.  Once the certificates have been
+-#  created, this file should be deleted.
++# Bootstrap script should be run only once. If there are already certificates
++# generated, skip the execution.
++#
++cd `dirname $0`
++if [ $(ls -l *.{pem,crt,key} 2>/dev/null | wc -l) != 0 ]; then
++  exit 0
++fi
++
+ #
+-#  Ideally, this program should be run as part of the installation of any
+-#  binary package.  The installation should also ensure that the permissions
+-#  and owners are correct for the files generated by this script.
++#  This is a wrapper script to create default certificates when the
++#  server starts via systemd. It should also ensure that the
++#  permissions and owners are correct for the generated files. Once
++# the certificates have been created, this file should be deleted.
+ #
+ #  $Id: 0f719aafd4c9abcdefbf547dedb6e7312c535104 $
+ #

freeradius-ldap-infinite-timeout-on-starttls.patch

@@ -0,0 +1,31 @@
+From: Antonio Torres <antorres@redhat.com>
+Date: Fri, 28 Jan 2022
+Subject: Use infinite timeout when using LDAP+start-TLS
+
+This will ensure that the TLS connection to the LDAP server will complete
+before starting FreeRADIUS, as it forces libldap to use a blocking socket during 
+the process. Infinite timeout is the OpenLDAP default.
+Avoids this: https://git.openldap.org/openldap/openldap/-/blob/87ffc60006298069a5a044b8e63dab27a61d3fdf/libraries/libldap/tls2.c#L1134
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1992551
+Signed-off-by: Antonio Torres <antorres@redhat.com>
+---
+ src/modules/rlm_ldap/ldap.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/src/modules/rlm_ldap/ldap.c b/src/modules/rlm_ldap/ldap.c
+index cf7a84e069..841bf888a1 100644
+--- a/src/modules/rlm_ldap/ldap.c
++++ b/src/modules/rlm_ldap/ldap.c
+@@ -1472,7 +1472,10 @@ void *mod_conn_create(TALLOC_CTX *ctx, void *instance)
+ 	}
+ 
+ #ifdef LDAP_OPT_NETWORK_TIMEOUT
+-	if (inst->net_timeout) {
++	bool using_tls = inst->start_tls ||
++					 inst->port == 636 ||
++					 strncmp(inst->server, "ldaps://", strlen("ldaps://")) == 0;
++	if (inst->net_timeout && !using_tls) {
+ 		memset(&tv, 0, sizeof(tv));
+ 		tv.tv_sec = inst->net_timeout;
+ 

freeradius-logrotate

@@ -0,0 +1,57 @@
+# You can use this to rotate the /var/log/radius/* files, simply copy
+# it to /etc/logrotate.d/radiusd
+
+# There are different detail-rotating strategies you can use.  One is
+# to write to a single detail file per IP and use the rotate config
+# below.  Another is to write to a daily detail file per IP with:
+#     detailfile = ${radacctdir}/%{Client-IP-Address}/%Y%m%d-detail
+# (or similar) in radiusd.conf, without rotation.  If you go with the
+# second technique, you will need another cron job that removes old
+# detail files.  You do not need to comment out the below for method #2.
+/var/log/radius/radacct/*/detail {
+	monthly
+	rotate 4
+	nocreate
+	missingok
+	compress
+	su radiusd radiusd
+}
+
+/var/log/radius/checkrad.log {
+	monthly
+	rotate 4
+	create
+	missingok
+	compress
+	su radiusd radiusd
+}
+
+
+/var/log/radius/radius.log {
+	monthly
+	rotate 4
+	create
+	missingok
+	compress
+	su radiusd radiusd
+	postrotate
+		/usr/bin/systemctl reload-or-try-restart radiusd
+	endscript
+}
+
+/var/log/radius/radwtmp {
+	monthly
+	rotate 4
+	create
+	compress
+	missingok
+	su radiusd radiusd
+}
+/var/log/radius/sqltrace.sql {
+        monthly
+        rotate 4
+        create
+        compress
+        missingok
+	su radiusd radiusd
+}

freeradius-man-Fix-some-typos.patch

@@ -0,0 +1,93 @@
+From 285f6f1891e8e8acfeb7281136efdae50dbfbe78 Mon Sep 17 00:00:00 2001
+From: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
+Date: Fri, 14 Sep 2018 11:53:28 +0300
+Subject: [PATCH] man: Fix some typos
+
+---
+ man/man1/radzap.1   | 4 ++--
+ man/man5/unlang.5   | 6 +++---
+ man/man8/radcrypt.8 | 2 +-
+ man/man8/radiusd.8  | 4 ++--
+ 4 files changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/man/man1/radzap.1 b/man/man1/radzap.1
+index a2d529d064..03b9a43a54 100644
+--- a/man/man1/radzap.1
++++ b/man/man1/radzap.1
+@@ -1,4 +1,4 @@
+-.TH RADZAP 1 "8 April 2005" "" "FreeRadius Daemon"
++.TH RADZAP 1 "8 April 2005" "" "FreeRADIUS Daemon"
+ .SH NAME
+ radzap - remove rogue entries from the active sessions database
+ .SH SYNOPSIS
+@@ -17,7 +17,7 @@ radzap - remove rogue entries from the active sessions database
+ .RB [ \-x ]
+ \fIserver[:port] secret\fP
+ .SH DESCRIPTION
+-The FreeRadius server can be configured to maintain an active session
++The FreeRADIUS server can be configured to maintain an active session
+ database in a file called \fIradutmp\fP. Commands like \fBradwho\fP(1)
+ use this database. Sometimes that database can get out of sync, and
+ then it might contain rogue entries. \fBradzap\fP can clean up this
+diff --git a/man/man5/unlang.5 b/man/man5/unlang.5
+index 40db5fa6e7..5f765f1787 100644
+--- a/man/man5/unlang.5
++++ b/man/man5/unlang.5
+@@ -195,7 +195,7 @@ The <list> can be one of "request", "reply", "proxy-request",
+ of Version 3, the <list> can be omitted, in which case "request" is
+ assumed.
+ 
+-The "control" list is the list of attributes maintainted internally by
++The "control" list is the list of attributes maintained internally by
+ the server that controls how the server processes the request.  Any
+ attribute that does not go in a packet on the network will generally
+ be placed in the "control" list.
+@@ -397,7 +397,7 @@ Evaluates to true if 'foo' is a non-empty string (single quotes, double
+ quotes, or back-quoted).  Also evaluates to true if 'foo' is a
+ non-zero number.  Note that the language is poorly typed, so the
+ string "0000" can be interpreted as a numerical zero.  This issue can
+-be avoided by comparings strings to an empty string, rather than by
++be avoided by comparing strings to an empty string, rather than by
+ evaluating the string by itself.
+ 
+ If the word 'foo' is not a quoted string, then it can be taken as a
+@@ -854,7 +854,7 @@ failover tracking that nothing was done in the current section.
+ .IP ok
+ Instructs the server that the request was processed properly.  This
+ keyword can be used to over-ride earlier failures, if the local
+-administrator determines that the faiures are not catastrophic.
++administrator determines that the failures are not catastrophic.
+ .IP reject
+ Causes the request to be immediately rejected
+ .SH MODULE RETURN CODES
+diff --git a/man/man8/radcrypt.8 b/man/man8/radcrypt.8
+index 08336c66f2..2917f60c46 100644
+--- a/man/man8/radcrypt.8
++++ b/man/man8/radcrypt.8
+@@ -30,7 +30,7 @@ Use a MD5 (Message Digest 5) hash.
+ Ignored if performing a password check.
+ .IP "\-c --check"
+ Perform a validation check on a password hash to verify if it matches
+-the plantext password.
++the plaintext password.
+ 
+ .SH EXAMPLES
+ .nf
+diff --git a/man/man8/radiusd.8 b/man/man8/radiusd.8
+index 98aef5e1be..2ef5ccf789 100644
+--- a/man/man8/radiusd.8
++++ b/man/man8/radiusd.8
+@@ -211,11 +211,11 @@ This file is usually static. It defines all the possible RADIUS attributes
+ used in the other configuration files.  You don't have to modify it.
+ It includes other dictionary files in the same directory.
+ .IP hints
+-Defines certain hints to the radius server based on the users's loginname
++Defines certain hints to the radius server based on the users' loginname
+ or other attributes sent by the access server. It also provides for
+ mapping user names (such as Pusername -> username). This provides the
+ functionality that the \fILivingston 2.0\fP server has as "Prefix" and
+-"Suffix" support in the \fIusers\fP file, but is more general. Ofcourse
++"Suffix" support in the \fIusers\fP file, but is more general. Of course
+ the Livingston way of doing things is also supported, and you can even use
+ both at the same time (within certain limits).
+ .IP huntgroups

freeradius-no-buildtime-cert-gen.patch

@@ -0,0 +1,104 @@
+From e6f7c9d4c2af1cda7760ca8155166bb5d4d541d0 Mon Sep 17 00:00:00 2001
+From: Alexander Scheel <ascheel@redhat.com>
+Date: Wed, 8 May 2019 12:58:02 -0400
+Subject: [PATCH] Don't generate certificates in reproducible builds
+
+Signed-off-by: Alexander Scheel <ascheel@redhat.com>
+---
+ Make.inc.in  | 5 +++++
+ configure    | 4 ++++
+ configure.ac | 3 +++
+ raddb/all.mk | 4 ++++
+ 4 files changed, 16 insertions(+)
+
+diff --git a/Make.inc.in b/Make.inc.in
+index 0b2cd74de8..8c623cf95c 100644
+--- a/Make.inc.in
++++ b/Make.inc.in
+@@ -173,3 +173,8 @@ else
+ 	TESTBINDIR = ./$(BUILD_DIR)/bin
+ 	TESTBIN    = ./$(BUILD_DIR)/bin
+ endif
++
++#
++#  With reproducible builds, do not generate certificates during installation
++#
++ENABLE_REPRODUCIBLE_BUILDS = @ENABLE_REPRODUCIBLE_BUILDS@
+diff --git a/configure b/configure
+index c2c599c92b..3d4403a844 100755
+--- a/configure
++++ b/configure
+@@ -655,6 +655,7 @@ RUSERS
+ SNMPWALK
+ SNMPGET
+ PERL
++ENABLE_REPRODUCIBLE_BUILDS
+ openssl_version_check_config
+ WITH_DHCP
+ modconfdir
+@@ -5586,6 +5587,7 @@ else
+ fi
+ 
+ 
++ENABLE_REPRODUCIBLE_BUILDS=yes
+ # Check whether --enable-reproducible-builds was given.
+ if test "${enable_reproducible_builds+set}" = set; then :
+   enableval=$enable_reproducible_builds;  case "$enableval" in
+@@ -5597,6 +5599,7 @@ $as_echo "#define ENABLE_REPRODUCIBLE_BUILDS 1" >>confdefs.h
+     ;;
+   *)
+     reproducible_builds=no
++    ENABLE_REPRODUCIBLE_BUILDS=no
+   esac
+ 
+ fi
+@@ -5604,6 +5607,7 @@ fi
+ 
+ 
+ 
++
+ CHECKRAD=checkrad
+ # Extract the first word of "perl", so it can be a program name with args.
+ set dummy perl; ac_word=$2
+diff --git a/configure.ac b/configure.ac
+index a7abf0025a..35b013f4af 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -619,6 +619,7 @@ AC_SUBST([openssl_version_check_config])
+ dnl #
+ dnl #  extra argument: --enable-reproducible-builds
+ dnl #
++ENABLE_REPRODUCIBLE_BUILDS=yes
+ AC_ARG_ENABLE(reproducible-builds,
+ [AS_HELP_STRING([--enable-reproducible-builds],
+                 [ensure the build does not change each time])],
+@@ -630,8 +631,10 @@ AC_ARG_ENABLE(reproducible-builds,
+     ;;
+   *)
+     reproducible_builds=no
++    ENABLE_REPRODUCIBLE_BUILDS=no
+   esac ]
+ )
++AC_SUBST(ENABLE_REPRODUCIBLE_BUILDS)
+ 
+ 
+ dnl #############################################################
+diff --git a/raddb/all.mk b/raddb/all.mk
+index c966edd657..c8e976a499 100644
+--- a/raddb/all.mk
++++ b/raddb/all.mk
+@@ -124,7 +124,11 @@ $(R)$(raddbdir)/users: $(R)$(modconfdir)/files/authorize
+ ifneq "$(LOCAL_CERT_PRODUCTS)" ""
+ $(LOCAL_CERT_PRODUCTS):
+ 	@echo BOOTSTRAP raddb/certs/
++ifeq "$(ENABLE_REPRODUCIBLE_BUILDS)" "yes"
++	@$(MAKE) -C $(R)$(raddbdir)/certs/ passwords.mk
++else
+ 	@$(MAKE) -C $(R)$(raddbdir)/certs/
++endif
+ 
+ # Bootstrap is special
+ $(R)$(raddbdir)/certs/bootstrap: | raddb/certs/bootstrap $(LOCAL_CERT_PRODUCTS)
+-- 
+2.21.0
+

freeradius-no-dh-param-load-FIPS.patch

@@ -0,0 +1,45 @@
+From 42693cba452efa00a4848beb1514229149520cc1 Mon Sep 17 00:00:00 2001
+From: Alexander Scheel <ascheel@redhat.com>
+Date: Wed, 5 Aug 2020 11:39:45 -0400
+Subject: [PATCH] Ignore user-provided dhparams in FIPS mode (#3554)
+
+OpenSSL in RHEL 8.3 introduces a breaking change in FIPS mode:
+user-provided dhparams will be ignored (and dhparam generation
+may fail as well), unless they are on the FIPS approved list of
+parameters. However, OpenSSL since v1.1.1 will automatically select
+an appropriate DH parameter set anyways, if the user did not provide
+any. These will be FIPS approved.
+
+Signed-off-by: Alexander Scheel <ascheel@redhat.com>
+---
+ src/main/tls.c | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+diff --git a/src/main/tls.c b/src/main/tls.c
+index 5809a1bd7d..5e6493333c 100644
+--- a/src/main/tls.c
++++ b/src/main/tls.c
+@@ -1352,6 +1352,23 @@ static int load_dh_params(SSL_CTX *ctx, char *file)
+
+ 	if (!file) return 0;
+
++	/*
++	 * Prior to trying to load the file, check what OpenSSL will do with it.
++	 *
++	 * Certain downstreams (such as RHEL) will ignore user-provided dhparams
++	 * in FIPS mode, unless the specified parameters are FIPS-approved.
++	 * However, since OpenSSL >= 1.1.1 will automatically select parameters
++	 * anyways, there's no point in attempting to load them.
++	 *
++	 * Change suggested by @t8m
++	 */
++#if OPENSSL_VERSION_NUMBER >= 0x10101000L
++	if (FIPS_mode() > 0) {
++		WARN(LOG_PREFIX ": Ignoring user-selected DH parameters in FIPS mode. Using defaults.");
++		return 0;
++	}
++#endif
++
+ 	if ((bio = BIO_new_file(file, "r")) == NULL) {
+ 		ERROR(LOG_PREFIX ": Unable to open DH file - %s", file);
+ 		return -1;

freeradius-pam-conf

@@ -0,0 +1,6 @@
+#%PAM-1.0
+auth       include	password-auth
+account    required	pam_nologin.so
+account    include	password-auth
+password   include	password-auth
+session    include	password-auth

freeradius-tmpfiles.conf

@@ -0,0 +1 @@
+D /run/radiusd 0710 radiusd radiusd -

freeradius.sysusers

@@ -0,0 +1,3 @@
+#Type Name     ID  GECOS           Home directory        Shell
+u     radiusd  95  "radiusd user"  /var/lib/radiusd      /sbin/nologin
+g     radiusd  95  -               -                     -

gating.yaml

@@ -0,0 +1,6 @@
+--- !Policy
+product_versions:
+  - rhel-9
+decision_context: osci_compose_gate
+rules:
+  - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.functional}

radiusd.service

@@ -0,0 +1,16 @@
+[Unit]
+Description=FreeRADIUS high performance RADIUS server.
+After=syslog.target network-online.target ipa.service dirsrv.target krb5kdc.service mysql.service mariadb.service postgresql.service
+
+[Service]
+Type=forking
+PIDFile=/var/run/radiusd/radiusd.pid
+ExecStartPre=-/bin/chown -R radiusd.radiusd /var/run/radiusd
+ExecStartPre=-/bin/sh /etc/raddb/certs/bootstrap
+ExecStartPre=/usr/sbin/radiusd -C
+ExecStart=/usr/sbin/radiusd -d /etc/raddb
+ExecReload=/usr/sbin/radiusd -C
+ExecReload=/bin/kill -HUP $MAINPID
+
+[Install]
+WantedBy=multi-user.target

rfc3526-group-18-8192.pem

@@ -0,0 +1,24 @@
+-----BEGIN DH PARAMETERS-----
+MIIECAKCBAEA///////////JD9qiIWjCNMTGYouA3BzRKQJOCIpnzHQCC76mOxOb
+IlFKCHmONATd75UZs806QxswKwpt8l8UN0/hNW1tUcJF5IW1dmJefsb0TELppjft
+awv/XLb0Brft7jhr+1qJn6WunyQRfEsf5kkoZlHs5Fs9wgB8uKFjvwWY2kg2HFXT
+mmkWP6j9JM9fg2VdI9yjrZYcYvNWIIVSu57VKQdwlpZtZww1Tkq8mATxdGwIyhgh
+fDKQXkYuNs474553LBgOhgObJ4Oi7Aeij7XFXfBvTFLJ3ivL9pVYFxg5lUl86pVq
+5RXSJhiY+gUQFXKOWoqqxC2tMxcNBFB6M6hVIavfHLpk7PuFBFjb7wqK6nFXXQYM
+fbOXD4Wm4eTHq/WujNsJM9cejJTgSiVhnc7j0iYa0u5r8S/6BtmKCGTYdgJzPshq
+ZFIfKxgXeyAMu+EXV3phXWx3CYjAutlG4gjiT6B05asxQ9tb/OD9EI5LgtEgqSEI
+ARpyPBKnh+bXiHGaEL26WyaZwycYavTiPBqUaDS2FQvaJYPpyirUTOjbu8LbBN6O
++S6O/BQfvsqmKHxZR05rwF2ZspZPoJDDoiM7oYZRW+ftH2EpcM7i16+4G912IXBI
+HNAGkSfVsFqpk7TqmI2P3cGG/7fckKbAj030Nck0AoSSNsP6tNJ8cCbB1NyyYCZG
+3sl1HnY9uje9+P+UBq2eUw7l2zgvQTABrrBqU+2QJ9gxF5cnsIZaiRjaPtvrz5sU
+7UTObLrO1Lsb238UR+bMJUszIFFRK9evQm+49AE3jNK/WYPKAcZLkuzwMuoV0XId
+A/SC185udP721V5wL0aYDIK1qEAxkAscnlnnyX++x+jzI6l6fjbMiL4PHUW3/1ha
+xUvUB7IrQVSqzI9tfr9I4dgUzF7SD4A34KeXFe7ym+MoBqHVi7fF2nb1UKo9ih+/
+8OsZzLGjE9Vc2lbJ7C7yljI4f+jXbjwEaAQ+j2Y/SGDuEr8tWwt0dNbmlPkebb4R
+WXSjkm8S/uXkOHd8tqky34zYvsTQc7kxujvIMraNndMAdB+nv4r8R+0ldvaTa6Qk
+ZjqrY5xa5PVoNCO0dCvxyXgjjxbL451lLeP9uL78hIrZIiIuBKQDfAcT61eoGiPw
+xzRz/GRs6jBrS8vIhi+Dhd36nUt/osCH6HloMwPtW906Bis89bOieKZtKhP4P0T4
+Ld8xDuB0q2o2RZfomaAlXcFk8xzFCEaFHfmrSBld7X6hsdUQvX7nTXP682vDHs+i
+aDWQRvTrh5+SQAlDi0gcbNeImgAu1e44K8kZDab8Am5HlVjkR1Z36aqeMFDidlaU
+38gfVuiAuW5xYMmA3Zjt09///////////wIBAg==
+-----END DH PARAMETERS-----

rpminspect.yaml

@@ -0,0 +1,3 @@
+---
+inspections:
+    badfuncs: off

sources

@@ -0,0 +1 @@
+SHA1 (freeradius-server-3.0.20.tar.bz2) = 3dd0e18fa04aff410876309e4322313b700db2b7

tests/auth-tests/Makefile

@@ -0,0 +1,36 @@
+# SPDX-License-Identifier: LGPL-2.1+
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Makefile of /CoreOS/freeradius
+#   Description: Test if freeradius authentication workd ok
+#   Author: Susant Sahani<susant@redhat.com>
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+export TEST=/CoreOS/freeradius
+export TESTVERSION=1.0
+BUILT_FILES=
+FILES=$(METADATA) runtest.sh Makefile PURPOSE
+.PHONY: all install download clean
+run: $(FILES) build
+	./runtest.sh
+build: $(BUILT_FILES)
+	test -x runtest.sh || chmod a+x runtest.sh
+clean:
+	rm -f *~ $(BUILT_FILES)
+include /usr/share/rhts/lib/rhts-make.include
+$(METADATA): Makefile
+	@echo "Owner:           Susant Sahani<susant@redhat.com>" > $(METADATA)
+	@echo "Name:            $(TEST)" >> $(METADATA)
+	@echo "TestVersion:     $(TESTVERSION)" >> $(METADATA)
+	@echo "Path:            $(TEST_DIR)" >> $(METADATA)
+	@echo "Description:     Test if the ABI hasn't changed" >> $(METADATA)
+	@echo "Type:            Sanity" >> $(METADATA)
+	@echo "TestTime:        5m" >> $(METADATA)
+	@echo "RunFor:          freeradius" >> $(METADATA)
+	@echo "Requires:        freeradius freeradius-utils python3 python3-psutil" >> $(METADATA)
+	@echo "Priority:        Normal" >> $(METADATA)
+	@echo "License:         GPLv2" >> $(METADATA)
+	@echo "Confidential:    no" >> $(METADATA)
+	@echo "Destructive:     no" >> $(METADATA)
+	@echo "Releases:        -Fedora 28" >> $(METADATA)
+	rhts-lint $(METADATA)

tests/auth-tests/PURPOSE

@@ -0,0 +1,3 @@
+PURPOSE of /CoreOS/freeradius
+Description: tests for freeradius
+Author: Susant Sahani<susant@redhat.com>

tests/auth-tests/authorize

@@ -0,0 +1,2 @@
+fedora-ci Cleartext-Password := "password"
+       Reply-Message = "Hello, %{User-Name}"

tests/auth-tests/clients.conf

@@ -0,0 +1,6 @@
+client localhost {
+     ipaddr = 127.0.0.1
+     secret = testing123
+     require_message_authenticator = no
+     nastype = other
+}

tests/auth-tests/freeradius-tests.py

@@ -0,0 +1,68 @@
+#!/usr/bin/env python3
+# SPDX-License-Identifier: LGPL-2.1+
+# ~~~
+#   Description: Tests for freeradius
+#
+#   Author: Susant Sahani <susant@redhat.com>
+#   Copyright (c) 2018 Red Hat, Inc.
+# ~~~
+
+import errno
+import os
+import sys
+import time
+import unittest
+import subprocess
+import signal
+import shutil
+import psutil
+import socket
+
+RADIUSD_PID_FILE='/var/run/radiusd/radiusd.pid'
+
+def setUpModule():
+    """Initialize the environment, and perform sanity checks on it."""
+
+    if shutil.which('radiusd') is None:
+        raise OSError(errno.ENOENT, 'radiusd not found')
+
+    if shutil.which('radtest') is None:
+        raise OSError(errno.ENOENT, 'radtest not found')
+
+    if subprocess.call(['systemctl', 'is-active', '--quiet',
+                        'radiusd.service']) == 0:
+        raise unittest.SkipTest('radiusd.service is already active')
+
+def tearDownModule():
+        pass
+
+class GenericUtilities():
+    """Provide a set of utility functions start stop daemons. write config files etc """
+
+    def StartRadiusServer(self):
+        """Start radiusd"""
+        subprocess.check_output(['systemctl', 'start', 'radiusd'])
+
+    def StopRadiusServer(self):
+        """stop radiusd"""
+        subprocess.check_output(['systemctl', 'stop', 'radiusd'])
+
+class RadiousTests(unittest.TestCase, GenericUtilities):
+
+    def setUp(self):
+        self.StartRadiusServer()
+
+    def tearDown(self):
+        self.StopRadiusServer()
+
+    def test_radius_plaintext_auth(self):
+        time.sleep(1)
+        output=subprocess.check_output(['radtest', 'fedora-ci', 'password', '127.0.0.1',  '100', 'testing123']).rstrip().decode('utf-8')
+        print(output)
+
+        self.assertRegex(output, "Received Access-Accept")
+        self.assertRegex(output, "Reply-Message = \"Hello, fedora-ci\"")
+
+if __name__ == '__main__':
+    unittest.main(testRunner=unittest.TextTestRunner(stream=sys.stdout,
+                                                     verbosity=3))

tests/auth-tests/runtest.sh

@@ -0,0 +1,70 @@
+#!/bin/bash
+# SPDX-License-Identifier: LGPL-2.1+
+# ~~~
+#   runtest.sh of freeradius
+#   Description:  RADIUS server
+#
+#   Author: Susant Sahani <susant@redhat.com>
+#   Copyright (c) 2018 Red Hat, Inc.
+# ~~~
+
+# Include Beaker environment
+. /usr/share/beakerlib/beakerlib.sh || exit 1
+
+PACKAGE="freeradius"
+
+RADIUS_CLIENT_CONF="/etc/raddb/clients.conf"
+RADIUD_PALIN_TEXT_AUTH_FILE="/etc/raddb/mods-config/files/authorize"
+
+generate_cert(){
+    pushd /etc/raddb/certs/
+    #remove certificates if exists;generate new certificates
+    if [[ -f /etc/raddb/certs/bootstrap ]]; then
+        rlLog "Destroy and create new default certificates via bootstrap script"
+        rm -f *.pem *.der *.csr *.crt *.key *.p12 serial* index.txt* dh
+        rlRun "sh /etc/raddb/certs/bootstrap" 0 "Gnenerating certificates"
+    else
+        rlLogWarning "!!! WARNING bootsrap file does not exist !!!"
+        rlLog "Destroy and create new default certificates via make scripts"
+        make destroycerts -C /etc/raddb/certs/
+        #create new certificates
+        make -C /etc/raddb/certs/
+        chown root:radiusd dh ca.* client.* server.*
+        chmod 640 dh ca.* client.* server.*
+    fi
+    popd
+}
+
+rlJournalStart
+    rlPhaseStartSetup
+        rlAssertRpm $PACKAGE
+        rlRun "systemctl stop firewalld" 0,5
+        rlRun "systemctl stop radiusd.service"
+        rlRun "setenforce 0"
+        rlFileBackup "$RADIUS_CLIENT_CONF"
+        rlFileBackup "$RADIUD_PALIN_TEXT_AUTH_FILE"
+
+        rlRun "cp freeradius-tests.py /usr/bin/"
+        rlRun "cp clients.conf $RADIUS_CLIENT_CONF"
+        rlRun "cp authorize $RADIUD_PALIN_TEXT_AUTH_FILE"
+        rlRun "systemctl daemon-reload"
+        #manually generate default certificates
+        generate_cert
+    rlPhaseEnd
+
+    rlPhaseStartTest
+        rlLog "Starting radius auth tests ..."
+        rlRun "/usr/bin/python3 /usr/bin/freeradius-tests.py"
+    rlPhaseEnd
+
+    rlPhaseStartCleanup
+        rlRun "rm /usr/bin/freeradius-tests.py"
+        rlRun "systemctl start firewalld" 0,5
+        rlRun "setenforce 1"
+        rlFileRestore
+        rlLog "freeradius tests done"
+    rlPhaseEnd
+rlJournalPrintText
+rlJournalEnd
+
+rlGetTestState

tests/tests.yml

@@ -0,0 +1,12 @@
+- hosts: localhost
+  roles:
+    - role: standard-test-beakerlib
+      tags:
+      - classic
+      tests:
+      - auth-tests
+      required_packages:
+      - python3
+      - systemd
+      - freeradius
+      - freeradius-utils