import freeradius-3.0.21-26.el9

SOURCES/freeradius-ldap-infinite-timeout-on-starttls.patch

@@ -0,0 +1,31 @@
+From: Antonio Torres <antorres@redhat.com>
+Date: Fri, 28 Jan 2022
+Subject: Use infinite timeout when using LDAP+start-TLS
+
+This will ensure that the TLS connection to the LDAP server will complete
+before starting FreeRADIUS, as it forces libldap to use a blocking socket during 
+the process. Infinite timeout is the OpenLDAP default.
+Avoids this: https://git.openldap.org/openldap/openldap/-/blob/87ffc60006298069a5a044b8e63dab27a61d3fdf/libraries/libldap/tls2.c#L1134
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1992551
+Signed-off-by: Antonio Torres <antorres@redhat.com>
+---
+ src/modules/rlm_ldap/ldap.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/src/modules/rlm_ldap/ldap.c b/src/modules/rlm_ldap/ldap.c
+index cf7a84e069..841bf888a1 100644
+--- a/src/modules/rlm_ldap/ldap.c
++++ b/src/modules/rlm_ldap/ldap.c
+@@ -1472,7 +1472,10 @@ void *mod_conn_create(TALLOC_CTX *ctx, void *instance)
+ 	}
+ 
+ #ifdef LDAP_OPT_NETWORK_TIMEOUT
+-	if (inst->net_timeout) {
++	bool using_tls = inst->start_tls ||
++					 inst->port == 636 ||
++					 strncmp(inst->server, "ldaps://", strlen("ldaps://")) == 0;
++	if (inst->net_timeout && !using_tls) {
+ 		memset(&tv, 0, sizeof(tv));
+ 		tv.tv_sec = inst->net_timeout;
+ 

SOURCES/freeradius-tmpfiles.conf

@@ -1 +1,2 @@
 D /run/radiusd 0710 radiusd radiusd -
+D /run/radiusd/tmp 0700 radiusd radiusd -

SPECS/freeradius.spec

@@ -1,7 +1,7 @@
 Summary: High-performance and highly configurable free RADIUS server
 Name: freeradius
 Version: 3.0.21
-Release: 21%{?dist}
+Release: 26%{?dist}
 License: GPLv2+ and LGPLv2+
 URL: http://www.freeradius.org/
 
@@ -26,6 +26,8 @@ Patch3: freeradius-bootstrap-create-only.patch
 Patch4: freeradius-no-buildtime-cert-gen.patch
 Patch5: freeradius-bootstrap-make-permissions.patch
 Patch6: freeradius-Fix-resource-hard-limit-error.patch
+Patch7: freeradius-ldap-infinite-timeout-on-starttls.patch
+Patch8: freeradius-Backport-OpenSSL3-fixes.patch
 
 %global docdir %{?_pkgdocdir}%{!?_pkgdocdir:%{_docdir}/%{name}-%{version}}
 
@@ -53,7 +55,7 @@ BuildRequires: ykclient-devel
 
 # Require OpenSSL version we built with, or newer, to avoid startup failures
 # due to runtime OpenSSL version checks.
-Requires: openssl >= %(rpm -q --queryformat '%%{EPOCH}:%%{VERSION}' openssl)
+Requires: openssl >= %(rpm -q --queryformat '%%{VERSION}' openssl)
 Requires(pre): shadow-utils glibc-common
 Requires(post): systemd-sysv
 Requires(post): systemd-units
@@ -209,6 +211,8 @@ This plugin provides the REST support for the FreeRADIUS server project.
 %patch4 -p1
 %patch5 -p1
 %patch6 -p1
+%patch7 -p1
+%patch8 -p1
 
 %build
 # Force compile/link options, extra security for network facing daemon
@@ -851,6 +855,28 @@ exit 0
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/rest
 
 %changelog
+* Mon Jan 31 2022 Antonio Torres <antorres@redhat.com> - 3.0.21-26
+- Move remaining files from /var/run to /run
+  Related: rhbz#2047972
+
+* Fri Jan 28 2022 Antonio Torres <antorres@redhat.com> - 3.0.21-25
+- Revert "Allow to connect to partially open LDAP handle"
+- Use infinite timeout (openldap default) when using LDAP+start-TLS
+- Update openssl dependency to not check epoch (was causing detection issues)
+  Related: rhbz#1992551
+
+* Thu Jan 13 2022 Antonio Torres <antorres@redhat.com> - 3.0.21-24
+- Avoid segfault when trying to use MD4 without legacy provider
+  Related: rhbz#1978216
+
+* Wed Jan 12 2022 Antonio Torres <antorres@redhat.com> - 3.0.21-23
+- Backport OpenSSL3 fixes
+  Related: rhbz#1978216
+
+* Wed Oct 13 2021 Antonio Torres <antorres@redhat.com> - 3.0.21-22
+- Allow to connect to partially open LDAP handle
+  Related: rhbz#1992551
+
 * Mon Sep 27 2021 Antonio Torres <antorres@redhat.com> - 3.0.21-21
 - Move FR's systemd unit PID file from /var/run to /run
   Related: rhbz#2006368