From 7960729fb9a6e5c87807ad5c8f2a6f686698969a Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Thu, 18 Oct 2018 16:21:59 -0400
Subject: [PATCH] Update to upstream release v3.0.17

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
 .gitignore                         |  1 +
 freeradius-OpenSSL-HMAC-MD5.patch  | 68 ++++++++++++++++++++++++++++
 freeradius-OpenSSL-HMAC-SHA1.patch | 73 ++++++++++++++++++++++++++++++
 freeradius-python2-shebangs.patch  | 64 ++++++++++++++++++++++++++
 freeradius.spec                    | 18 ++++++--
 sources                            |  2 +-
 6 files changed, 221 insertions(+), 5 deletions(-)
 create mode 100644 freeradius-OpenSSL-HMAC-MD5.patch
 create mode 100644 freeradius-OpenSSL-HMAC-SHA1.patch
 create mode 100644 freeradius-python2-shebangs.patch

diff --git a/.gitignore b/.gitignore
index 779754b..28f9f6c 100644
--- a/.gitignore
+++ b/.gitignore
@@ -20,3 +20,4 @@
 /freeradius-server-3.0.13.tar.bz2
 /freeradius-server-3.0.14.tar.bz2
 /freeradius-server-3.0.15.tar.bz2
+/freeradius-server-3.0.17.tar.bz2
diff --git a/freeradius-OpenSSL-HMAC-MD5.patch b/freeradius-OpenSSL-HMAC-MD5.patch
new file mode 100644
index 0000000..1e54c55
--- /dev/null
+++ b/freeradius-OpenSSL-HMAC-MD5.patch
@@ -0,0 +1,68 @@
+From b93796b1890b35a0922bfba9cd08e8a1a5f956cf Mon Sep 17 00:00:00 2001
+From: Alexander Scheel <ascheel@redhat.com>
+Date: Fri, 28 Sep 2018 09:54:46 -0400
+Subject: [PATCH 1/2] Replace HMAC-MD5 implementation with OpenSSL's
+
+If OpenSSL EVP is not found, fallback to internal implementation of
+HMAC-MD5.
+
+Signed-off-by: Alexander Scheel <ascheel@redhat.com>
+---
+ src/lib/hmacmd5.c | 34 +++++++++++++++++++++++++++++++++-
+ 1 file changed, 33 insertions(+), 1 deletion(-)
+
+diff --git a/src/lib/hmacmd5.c b/src/lib/hmacmd5.c
+index 2c662ff368..1cca00fa2a 100644
+--- a/src/lib/hmacmd5.c
++++ b/src/lib/hmacmd5.c
+@@ -27,10 +27,41 @@
+
+ RCSID("$Id: 2c662ff368e46556edd2cfdf408bd0fca0ab5f18 $")
+
++#ifdef HAVE_OPENSSL_EVP_H
++#include <openssl/hmac.h>
++#include <openssl/evp.h>
++#endif
++
+ #include <freeradius-devel/libradius.h>
+ #include <freeradius-devel/md5.h>
+
+-/** Calculate HMAC using MD5
++#ifdef HAVE_OPENSSL_EVP_H
++/** Calculate HMAC using OpenSSL's MD5 implementation
++ *
++ * @param digest Caller digest to be filled in.
++ * @param text Pointer to data stream.
++ * @param text_len length of data stream.
++ * @param key Pointer to authentication key.
++ * @param key_len Length of authentication key.
++ *
++ */
++void fr_hmac_md5(uint8_t digest[MD5_DIGEST_LENGTH], uint8_t const *text, size_t text_len,
++		 uint8_t const *key, size_t key_len)
++{
++	HMAC_CTX *ctx  = HMAC_CTX_new();
++
++#ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW
++	/* Since MD5 is not allowed by FIPS, explicitly allow it. */
++	HMAC_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
++#endif /* EVP_MD_CTX_FLAG_NON_FIPS_ALLOW */
++
++	HMAC_Init_ex(ctx, key, key_len, EVP_md5(), NULL);
++	HMAC_Update(ctx, text, text_len);
++	HMAC_Final(ctx, digest, NULL);
++	HMAC_CTX_free(ctx);
++}
++#else
++/** Calculate HMAC using internal MD5 implementation
+  *
+  * @param digest Caller digest to be filled in.
+  * @param text Pointer to data stream.
+@@ -101,6 +132,7 @@
+ 					      * hash */
+ 	fr_md5_final(digest, &context);	  /* finish up 2nd pass */
+ }
++#endif /* HAVE_OPENSSL_EVP_H */
+
+ /*
+ Test Vectors (Trailing '\0' of a character string not included in test):
diff --git a/freeradius-OpenSSL-HMAC-SHA1.patch b/freeradius-OpenSSL-HMAC-SHA1.patch
new file mode 100644
index 0000000..6c60951
--- /dev/null
+++ b/freeradius-OpenSSL-HMAC-SHA1.patch
@@ -0,0 +1,73 @@
+From 91f663ce1b46ecd99399023ad539f158419272e7 Mon Sep 17 00:00:00 2001
+From: Alexander Scheel <ascheel@redhat.com>
+Date: Fri, 28 Sep 2018 11:03:52 -0400
+Subject: [PATCH 2/2] Replace HMAC-SHA1 implementation with OpenSSL's
+
+If OpenSSL EVP is not found, fallback to internal implementation of
+HMAC-SHA1.
+
+Signed-off-by: Alexander Scheel <ascheel@redhat.com>
+---
+ src/lib/hmacsha1.c | 29 ++++++++++++++++++++++++++++-
+ 1 file changed, 28 insertions(+), 1 deletion(-)
+
+diff --git a/src/lib/hmacsha1.c b/src/lib/hmacsha1.c
+index c3cbd87a2c..211470ea35 100644
+--- a/src/lib/hmacsha1.c
++++ b/src/lib/hmacsha1.c
+@@ -10,13 +10,19 @@
+
+ RCSID("$Id: c3cbd87a2c13c47da93fdb1bdfbf6da4c22aaac5 $")
+
++#ifdef HAVE_OPENSSL_EVP_H
++#include <openssl/hmac.h>
++#include <openssl/evp.h>
++#endif
++
+ #include <freeradius-devel/libradius.h>
+
+ #ifdef HMAC_SHA1_DATA_PROBLEMS
+ unsigned int sha1_data_problems = 0;
+ #endif
+
+-/** Calculate HMAC using SHA1
++#ifdef HAVE_OPENSSL_EVP_H
++/** Calculate HMAC using OpenSSL's SHA1 implementation
+  *
+  * @param digest Caller digest to be filled in.
+  * @param text Pointer to data stream.
+@@ -28,6 +34,26 @@
+ void fr_hmac_sha1(uint8_t digest[SHA1_DIGEST_LENGTH], uint8_t const *text, size_t text_len,
+ 		  uint8_t const *key, size_t key_len)
+ {
++	HMAC_CTX *ctx  = HMAC_CTX_new();
++	HMAC_Init_ex(ctx, key, key_len, EVP_sha1(), NULL);
++	HMAC_Update(ctx, text, text_len);
++	HMAC_Final(ctx, digest, NULL);
++	HMAC_CTX_free(ctx);
++}
++
++#else
++
++/** Calculate HMAC using internal SHA1 implementation
++ *
++ * @param digest Caller digest to be filled in.
++ * @param text Pointer to data stream.
++ * @param text_len length of data stream.
++ * @param key Pointer to authentication key.
++ * @param key_len Length of authentication key.
++ */
++void fr_hmac_sha1(uint8_t digest[SHA1_DIGEST_LENGTH], uint8_t const *text, size_t text_len,
++		  uint8_t const *key, size_t key_len)
++{
+ 	fr_sha1_ctx context;
+ 	uint8_t k_ipad[65];    /* inner padding - key XORd with ipad */
+ 	uint8_t k_opad[65];    /* outer padding - key XORd with opad */
+@@ -142,6 +168,7 @@
+ 	}
+ #endif
+ }
++#endif /* HAVE_OPENSSL_EVP_H */
+
+ /*
+ Test Vectors (Trailing '\0' of a character string not included in test):
diff --git a/freeradius-python2-shebangs.patch b/freeradius-python2-shebangs.patch
new file mode 100644
index 0000000..86954db
--- /dev/null
+++ b/freeradius-python2-shebangs.patch
@@ -0,0 +1,64 @@
+From b8a6ac05977845851f02151ca35c3a51e88bd534 Mon Sep 17 00:00:00 2001
+From: Alexander Scheel <ascheel@redhat.com>
+Date: Thu, 18 Oct 2018 12:40:53 -0400
+Subject: [PATCH] Clarify shebangs to be python2
+
+Signed-off-by: Alexander Scheel <ascheel@redhat.com>
+---
+ scripts/radtee                         | 2 +-
+ src/modules/rlm_python/example.py      | 2 +-
+ src/modules/rlm_python/prepaid.py      | 2 +-
+ src/modules/rlm_python/radiusd.py      | 2 +-
+ src/modules/rlm_python/radiusd_test.py | 2 +-
+ 5 files changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/scripts/radtee b/scripts/radtee
+index 123769d244..78b4bcbe0b 100755
+--- a/scripts/radtee
++++ b/scripts/radtee
+@@ -1,4 +1,4 @@
+-#!/usr/bin/env python
++#!/usr/bin/env python2
+ from __future__ import with_statement 
+ 
+ # RADIUS comparison tee v1.0
+diff --git a/src/modules/rlm_python/example.py b/src/modules/rlm_python/example.py
+index 5950a07678..eaf456e349 100644
+--- a/src/modules/rlm_python/example.py
++++ b/src/modules/rlm_python/example.py
+@@ -1,4 +1,4 @@
+-#! /usr/bin/env python
++#! /usr/bin/env python2
+ #
+ # Python module example file
+ # Miguel A.L. Paraz <mparaz@mparaz.com>
+diff --git a/src/modules/rlm_python/prepaid.py b/src/modules/rlm_python/prepaid.py
+index c3cbf57b8f..3b1dc2e2e8 100644
+--- a/src/modules/rlm_python/prepaid.py
++++ b/src/modules/rlm_python/prepaid.py
+@@ -1,4 +1,4 @@
+-#! /usr/bin/env python
++#! /usr/bin/env python2
+ #
+ # Example Python module for prepaid usage using MySQL
+ 
+diff --git a/src/modules/rlm_python/radiusd.py b/src/modules/rlm_python/radiusd.py
+index c535bb3caf..7129923994 100644
+--- a/src/modules/rlm_python/radiusd.py
++++ b/src/modules/rlm_python/radiusd.py
+@@ -1,4 +1,4 @@
+-#! /usr/bin/env python
++#! /usr/bin/env python2
+ #
+ # Definitions for RADIUS programs
+ #
+diff --git a/src/modules/rlm_python/radiusd_test.py b/src/modules/rlm_python/radiusd_test.py
+index 13b7128b29..97b5b64f08 100644
+--- a/src/modules/rlm_python/radiusd_test.py
++++ b/src/modules/rlm_python/radiusd_test.py
+@@ -1,4 +1,4 @@
+-#! /usr/bin/env python
++#! /usr/bin/env python2
+ #
+ # Python module test
+ # Miguel A.L. Paraz <mparaz@mparaz.com>
diff --git a/freeradius.spec b/freeradius.spec
index dc1f18d..7fef406 100644
--- a/freeradius.spec
+++ b/freeradius.spec
@@ -1,7 +1,7 @@
 Summary: High-performance and highly configurable free RADIUS server
 Name: freeradius
-Version: 3.0.15
-Release: 18%{?dist}
+Version: 3.0.17
+Release: 1%{?dist}
 License: GPLv2+ and LGPLv2+
 Group: System Environment/Daemons
 URL: http://www.freeradius.org/
@@ -25,6 +25,9 @@ Patch1: freeradius-Adjust-configuration-to-fit-Red-Hat-specifics.patch
 Patch2: freeradius-Use-system-crypto-policy-by-default.patch
 Patch3: freeradius-man-Fix-some-typos.patch
 Patch4: freeradius-Add-missing-option-descriptions.patch
+Patch5: freeradius-OpenSSL-HMAC-MD5.patch
+Patch6: freeradius-OpenSSL-HMAC-SHA1.patch
+Patch7: freeradius-python2-shebangs.patch
 
 %global docdir %{?_pkgdocdir}%{!?_pkgdocdir:%{_docdir}/%{name}-%{version}}
 
@@ -205,6 +208,9 @@ This plugin provides the REST support for the FreeRADIUS server project.
 %patch2 -p1
 %patch3 -p1
 %patch4 -p1
+%patch5 -p1
+%patch6 -p1
+%patch7 -p1
 
 %build
 # Force compile/link options, extra security for network facing daemon
@@ -213,6 +219,7 @@ This plugin provides the REST support for the FreeRADIUS server project.
 %configure \
         --libdir=%{_libdir}/freeradius \
         --disable-openssl-version-check \
+        --with-openssl \
         --with-udpfromto \
         --with-threads \
         --with-docdir=%{docdir} \
@@ -518,7 +525,6 @@ exit 0
 %config(missingok) /etc/raddb/mods-enabled/date
 %config(missingok) /etc/raddb/mods-enabled/detail
 %config(missingok) /etc/raddb/mods-enabled/detail.log
-%config(missingok) /etc/raddb/mods-enabled/dhcp
 %config(missingok) /etc/raddb/mods-enabled/digest
 %config(missingok) /etc/raddb/mods-enabled/dynamic_clients
 %config(missingok) /etc/raddb/mods-enabled/eap
@@ -765,7 +771,6 @@ exit 0
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/postgresql/schema.sql
 
 %dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/main/postgresql/extras
-%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/postgresql/extras/update_radacct_group.sql
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/postgresql/extras/voip-postpaid.conf
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/postgresql/extras/cisco_h323_db_schema.sql
 
@@ -808,6 +813,11 @@ exit 0
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/rest
 
 %changelog
+* Thu Oct 18 2018 Alexander Scheel <ascheel@redhat.com> - 3.0.17-1
+- Update to FreeRADIUS server version 3.0.17
+- Adds OpenSSL HMAC patches from upstream (unreleased)
+- Adds Python2 shebang patches from upstream (unreleased)
+
 * Mon Sep 17 2018 Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com> - 3.0.15-18
 - Actually apply patches added previously.
   Related: Bug#1611286 Man page scan results for freeradius
diff --git a/sources b/sources
index 1e5a2c5..d4d7f35 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-SHA512 (freeradius-server-3.0.15.tar.bz2) = a2808f0b70b73f11c4c7d00edcb4a56a2ab8f73ce0ff74a9834c8b613ce5ed75ece372f852b0891f68c6a33f50c1bababb76d2eff9326a7fc29fe6b45ec9af88
+SHA512 (freeradius-server-3.0.17.tar.bz2) = f4510d8e77eb7c72a21fbfad851f13460ff4b5a35f0b7bea6102076ceb71188a63b277fb7e4fcd9c3033b396b63e1bf0e455cc03608d7ab1380d1662407cb399