rpms/freeradius
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Upgrade to upstream v3.0.7 release

Browse Source 
Resolves: Bug#1133959
This commit is contained in:
Nikolai Kondrashov 2015-03-19 15:03:38 +02:00
parent 6ba73827f1
commit 9bf49420c8
33 changed files with 16 additions and 2702 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -11,3 +11,4 @@
/freeradius-server-3.0.3.tar.bz2 /freeradius-server-3.0.3.tar.bz2
/freeradius-server-3.0.4rc2.tar.bz2 /freeradius-server-3.0.4rc2.tar.bz2
/freeradius-server-3.0.4.tar.bz2 /freeradius-server-3.0.4.tar.bz2
/freeradius-server-3.0.7.tar.bz2

62
freeradius-Don-t-overwrite-ip_hton-af-prefix-in-fr_pton4-6.patch
View File

@ -1,62 +0,0 @@
From 64ee0b30df59857bce8f0efea019d065cf48c54c Mon Sep 17 00:00:00 2001
From: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
Date: Thu, 18 Dec 2014 22:05:35 +0200
Subject: [PATCH 2/2] Don't overwrite ip_hton af/prefix in fr_pton4/6
Don't overwrite address family and prefix set by ip_hton (which can fall
back onto other address family) with AF_INET/32 and AF_INET6/128, in
fr_pton4 and fr_pton6 respectively.
This fixes radiusd listening on wrong address data when falling back to
another address family.
---
src/lib/misc.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/src/lib/misc.c b/src/lib/misc.c
index ad27057..cf49917 100644
--- a/src/lib/misc.c
+++ b/src/lib/misc.c
@@ -238,6 +238,9 @@ int fr_pton4(fr_ipaddr_t *out, char const *value, size_t inlen, bool resolve, bo
* 192.0.2.2 is parsed as if it was /32
*/
if (!p) {
+ out->prefix = 32;
+ out->af = AF_INET;
+
/*
* Allow '*' as the wildcard address usually 0.0.0.0
*/
@@ -258,9 +261,6 @@ int fr_pton4(fr_ipaddr_t *out, char const *value, size_t inlen, bool resolve, bo
}
} else if (ip_hton(out, AF_INET, value, fallback) < 0) return -1;
- out->prefix = 32;
- out->af = AF_INET;
-
return 0;
}
@@ -338,6 +338,9 @@ int fr_pton6(fr_ipaddr_t *out, char const *value, size_t inlen, bool resolve, bo
p = strchr(value, '/');
if (!p) {
+ out->prefix = 128;
+ out->af = AF_INET6;
+
/*
* Allow '*' as the wildcard address
*/
@@ -350,9 +353,6 @@ int fr_pton6(fr_ipaddr_t *out, char const *value, size_t inlen, bool resolve, bo
}
} else if (ip_hton(out, AF_INET6, value, fallback) < 0) return -1;
- out->prefix = 128;
- out->af = AF_INET6;
-
return 0;
}
--
2.1.3

131
freeradius-Fix-OpenSSL-version-check-issues.patch
View File

@ -1,131 +0,0 @@
From 6d296f2c4f3c58742543cc0508642c6d06747aea Mon Sep 17 00:00:00 2001
From: Arran Cudbard-Bell <a.cudbardb@freeradius.org>
Date: Thu, 16 Oct 2014 11:16:57 -0400
Subject: [PATCH 1/1] Fix OpenSSL version check issues
---
src/include/radiusd.h | 4 ++--
src/main/version.c | 40 ++++++++++++++++++++--------------------
2 files changed, 22 insertions(+), 22 deletions(-)
diff --git a/src/include/radiusd.h b/src/include/radiusd.h
index 53a1f3e..1bf15d7 100644
--- a/src/include/radiusd.h
+++ b/src/include/radiusd.h
@@ -598,8 +598,8 @@ void pairlist_free(PAIR_LIST **);
/* version.c */
int rad_check_lib_magic(uint64_t magic);
int ssl_check_consistency(void);
-char const *ssl_version_by_num(uint64_t version);
-char const *ssl_version_range(uint64_t low, uint64_t high);
+char const *ssl_version_by_num(uint32_t version);
+char const *ssl_version_range(uint32_t low, uint32_t high);
char const *ssl_version(void);
void version(void);
diff --git a/src/main/version.c b/src/main/version.c
index 8b56ffa..fd97970 100644
--- a/src/main/version.c
+++ b/src/main/version.c
@@ -38,7 +38,7 @@ static long ssl_built = OPENSSL_VERSION_NUMBER;
/** Check built and linked versions of OpenSSL match
*
* OpenSSL version number consists of:
- * MMNNFFPPS: major minor fix patch status
+ * MNNFFPPS: major minor fix patch status
*
* Where status >= 0 && < 10 means beta, and status 10 means release.
*
@@ -56,11 +56,11 @@ int ssl_check_consistency(void)
/*
* Status mismatch always triggers error.
*/
- if ((ssl_linked & 0x00000000f) != (ssl_built & 0x00000000f)) {
+ if ((ssl_linked & 0x0000000f) != (ssl_built & 0x0000000f)) {
mismatch:
ERROR("libssl version mismatch. built: %lx linked: %lx",
- (unsigned long) ssl_built,
- (unsigned long) ssl_linked);
+ (unsigned long) ssl_built,
+ (unsigned long) ssl_linked);
return -1;
}
@@ -70,14 +70,14 @@ int ssl_check_consistency(void)
* 1.0.0 and only allow moving backwards within a patch
* series.
*/
- if (ssl_built & 0xff) {
- if ((ssl_built & 0xffff) != (ssl_linked & 0xffff) ||
- (ssl_built & 0x0000ff) > (ssl_linked & 0x0000ff)) goto mismatch;
+ if (ssl_built & 0xf00000000) {
+ if ((ssl_built & 0xfffff000) != (ssl_linked & 0xfffff000) ||
+ (ssl_built & 0x00000ff0) > (ssl_linked & 0x00000ff0)) goto mismatch;
/*
* Before 1.0.0 we require the same major minor and fix version
* and ignore the patch number.
*/
- } else if ((ssl_built & 0xffffff) != (ssl_linked & 0xffffff)) goto mismatch;
+ } else if ((ssl_built & 0xfffff000) != (ssl_linked & 0xfffff000)) goto mismatch;
return 0;
}
@@ -89,22 +89,22 @@ int ssl_check_consistency(void)
* @param v version to convert.
* @return pointer to a static buffer containing the version string.
*/
-char const *ssl_version_by_num(uint64_t v)
+char const *ssl_version_by_num(uint32_t v)
{
/* 2 (%s) + 1 (.) + 2 (%i) + 1 (.) + 2 (%i) + 1 (c) + 1 (-) + 2 (%i) + \0 */
static char buffer[13];
char *p = buffer;
- p += sprintf(p, "%i.%i.%i",
- (int) ((0xff0000000 & v) >> 28),
- (int) ((0x00ff00000 & v) >> 20),
- (int) ((0x0000ff000 & v) >> 12));
+ p += sprintf(p, "%u.%u.%u",
+ (0xf0000000 & v) >> 28,
+ (0x0ff00000 & v) >> 20,
+ (0x000ff000 & v) >> 12);
- if ((0x000000ff0 & v) >> 4) {
- *p++ = (char) (0x60 + ((0x000000ff0 & v) >> 4));
+ if ((0x00000ff0 & v) >> 4) {
+ *p++ = (char) (0x60 + ((0x00000ff0 & v) >> 4));
}
- sprintf(p, "-%i", (int) (0x00000000f & v));
+ sprintf(p, "%x", 0x0000000f & v);
return buffer;
}
@@ -117,7 +117,7 @@ char const *ssl_version_by_num(uint64_t v)
* @param high version to convert.
* @return pointer to a static buffer containing the version range string.
*/
-char const *ssl_version_range(uint64_t low, uint64_t high)
+char const *ssl_version_range(uint32_t low, uint32_t high)
{
/* 12 (version) + 3 ( - ) + 12 (version) */
static char buffer[28];
@@ -141,12 +141,12 @@ char const *ssl_version(void)
{
static char buffer[256];
- uint64_t v = (uint64_t) SSLeay();
+ uint32_t v = SSLeay();
- snprintf(buffer, sizeof(buffer), "%s 0x%.9" PRIx64 " (%s)",
+ snprintf(buffer, sizeof(buffer), "%s 0x%.8x (%s)",
SSLeay_version(SSLEAY_VERSION), /* Not all builds include a useful version number */
v,
- ssl_version_by_num((uint64_t) v));
+ ssl_version_by_num(v));
return buffer;
}
--
2.1.4

64
freeradius-Resolve-to-all-families-on-ip_hton-fallback.patch
View File

@ -1,64 +0,0 @@
From a23dbf402ad466bf41c95da82e58dedc7b615f99 Mon Sep 17 00:00:00 2001
From: Arran Cudbard-Bell <a.cudbardb@freeradius.org>
Date: Mon, 1 Dec 2014 14:15:45 -0500
Subject: [PATCH 1/2] Resolve to all families on ip_hton fallback
If we're doing fallback resolution we need to set the address family to
AF_UNSPEC to get both IPv6 and IPv4 addresses
The af that was passed in, is then used to set the preference
---
src/lib/misc.c | 25 +++++++++++++------------
1 file changed, 13 insertions(+), 12 deletions(-)
diff --git a/src/lib/misc.c b/src/lib/misc.c
index d0ccd6c..ad27057 100644
--- a/src/lib/misc.c
+++ b/src/lib/misc.c
@@ -845,7 +845,15 @@ int ip_hton(fr_ipaddr_t *out, int af, char const *hostname, bool fallback)
int rcode;
struct addrinfo hints, *ai = NULL, *alt = NULL, *res = NULL;
+ /*
+ * Avoid malloc for IP addresses. This helps us debug
+ * memory errors when using talloc.
+ */
+#ifdef TALLOC_DEBUG
+ if (true) {
+#else
if (!fr_hostname_lookups) {
+#endif
#ifdef HAVE_STRUCT_SOCKADDR_IN6
if (af == AF_UNSPEC) {
char const *p;
@@ -872,22 +880,15 @@ int ip_hton(fr_ipaddr_t *out, int af, char const *hostname, bool fallback)
}
memset(&hints, 0, sizeof(hints));
- hints.ai_family = af;
-#ifdef TALLOC_DEBUG
/*
- * Avoid malloc for IP addresses. This helps us debug
- * memory errors when using talloc.
+ * If we're falling back we need both IPv4 and IPv6 records
*/
- if (af == AF_INET) {
- /*
- * If it's all numeric, avoid getaddrinfo()
- */
- if (inet_pton(af, hostname, &out->ipaddr.ip4addr) == 1) {
- return 0;
- }
+ if (fallback) {
+ hints.ai_family = AF_UNSPEC;
+ } else {
+ hints.ai_family = af;
}
-#endif
if ((rcode = getaddrinfo(hostname, NULL, &hints, &res)) != 0) {
fr_strerror_printf("ip_hton: %s", gai_strerror(rcode));
--
2.1.3

401
freeradius-access-union-consistently.patch
View File

@ -1,401 +0,0 @@
From 5e8a69d547461c757abe2870ecbff2aa7a1fea55 Mon Sep 17 00:00:00 2001
From: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
Date: Wed, 1 Oct 2014 11:51:51 -0400
Subject: [PATCH 2/4] Access union value_data members consistently
Use the same, appropriate union value_data member for each access of
BOOLEAN, BYTE and SHORT PW_TYPEs, without assuming they're
interchangeable with "integer", as that is only true on little-endian
architectures.
This fixes at least this wimax unit test failure on s390x and ppc64:
Mismatch in line 11 of src/tests/unit/wimax.txt, got: 1a 0c 00 00 60 b5 01 06 00 02 03 00 expected: 1a 0c 00 00 60 b5 01 06 00 02 03 01
---
src/lib/print.c | 56 ++++++++++++------
src/lib/radius.c | 8 +--
src/lib/valuepair.c | 83 +++++++++++++++++++--------
src/main/evaluate.c | 4 +-
src/main/valuepair.c | 4 ++
src/main/xlat.c | 4 +-
src/modules/rlm_couchbase/mod.c | 17 +++++-
src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c | 4 +-
8 files changed, 128 insertions(+), 52 deletions(-)
diff --git a/src/lib/print.c b/src/lib/print.c
index 67263bc..fc1ae42 100644
--- a/src/lib/print.c
+++ b/src/lib/print.c
@@ -314,6 +314,7 @@ size_t vp_data_prints_value(char *out, size_t outlen,
char const *a = NULL;
time_t t;
struct tm s_tm;
+ unsigned int i;
size_t len = 0, freespace = outlen;
@@ -365,15 +366,24 @@ size_t vp_data_prints_value(char *out, size_t outlen,
return fr_print_string(data->strvalue, data_len, out, outlen);
case PW_TYPE_INTEGER:
- case PW_TYPE_BYTE:
+ i = data->integer;
+ goto print_int;
+
case PW_TYPE_SHORT:
+ i = data->ushort;
+ goto print_int;
+
+ case PW_TYPE_BYTE:
+ i = data->byte;
+
+print_int:
/* Normal, non-tagged attribute */
- if ((v = dict_valbyattr(da->attr, da->vendor, data->integer)) != NULL) {
+ if ((v = dict_valbyattr(da->attr, da->vendor, i)) != NULL) {
a = v->name;
len = strlen(a);
} else {
/* should never be truncated */
- len = snprintf(buf, sizeof(buf), "%u", data->integer);
+ len = snprintf(buf, sizeof(buf), "%u", i);
a = buf;
}
break;
@@ -590,12 +600,20 @@ size_t vp_prints_value_json(char *out, size_t outlen, VALUE_PAIR const *vp)
if (!vp->da->flags.has_tag) {
switch (vp->da->type) {
case PW_TYPE_INTEGER:
- case PW_TYPE_BYTE:
- case PW_TYPE_SHORT:
if (vp->da->flags.has_value) break;
return snprintf(out, freespace, "%u", vp->vp_integer);
+ case PW_TYPE_SHORT:
+ if (vp->da->flags.has_value) break;
+
+ return snprintf(out, freespace, "%u", (unsigned int) vp->vp_short);
+
+ case PW_TYPE_BYTE:
+ if (vp->da->flags.has_value) break;
+
+ return snprintf(out, freespace, "%u", (unsigned int) vp->vp_byte);
+
case PW_TYPE_SIGNED:
return snprintf(out, freespace, "%d", vp->vp_signed);
@@ -834,6 +852,8 @@ void vp_printlist(FILE *fp, VALUE_PAIR const *vp)
char *vp_aprint_value(TALLOC_CTX *ctx, VALUE_PAIR const *vp, bool escape)
{
char *p;
+ unsigned int i;
+ DICT_VALUE const *dv;
switch (vp->da->type) {
case PW_TYPE_STRING:
@@ -860,19 +880,23 @@ char *vp_aprint_value(TALLOC_CTX *ctx, VALUE_PAIR const *vp, bool escape)
break;
}
- case PW_TYPE_BYTE:
- case PW_TYPE_SHORT:
case PW_TYPE_INTEGER:
- {
- DICT_VALUE *dv;
+ i = vp->vp_integer;
+ goto print_int;
- dv = dict_valbyattr(vp->da->attr, vp->da->vendor,
- vp->vp_integer);
- if (dv) {
- p = talloc_typed_strdup(ctx, dv->name);
- } else {
- p = talloc_typed_asprintf(ctx, "%u", vp->vp_integer);
- }
+ case PW_TYPE_SHORT:
+ i = vp->vp_short;
+ goto print_int;
+
+ case PW_TYPE_BYTE:
+ i = vp->vp_byte;
+
+ print_int:
+ dv = dict_valbyattr(vp->da->attr, vp->da->vendor, i);
+ if (dv) {
+ p = talloc_typed_strdup(ctx, dv->name);
+ } else {
+ p = talloc_typed_asprintf(ctx, "%u", i);
}
break;
diff --git a/src/lib/radius.c b/src/lib/radius.c
index 0a40682..aabc545 100644
--- a/src/lib/radius.c
+++ b/src/lib/radius.c
@@ -3984,18 +3984,18 @@ ssize_t rad_vp2data(uint8_t const **out, VALUE_PAIR const *vp)
}
case PW_TYPE_BOOLEAN:
- buffer[0] = vp->vp_integer & 0x01;
+ buffer[0] = vp->vp_byte & 0x01;
*out = buffer;
break;
case PW_TYPE_BYTE:
- buffer[0] = vp->vp_integer & 0xff;
+ buffer[0] = vp->vp_byte & 0xff;
*out = buffer;
break;
case PW_TYPE_SHORT:
- buffer[0] = (vp->vp_integer >> 8) & 0xff;
- buffer[1] = vp->vp_integer & 0xff;
+ buffer[0] = (vp->vp_short >> 8) & 0xff;
+ buffer[1] = vp->vp_short & 0xff;
*out = buffer;
break;
diff --git a/src/lib/valuepair.c b/src/lib/valuepair.c
index 9dcae70..7d6ee88 100644
--- a/src/lib/valuepair.c
+++ b/src/lib/valuepair.c
@@ -1369,65 +1369,100 @@ int pairparsevalue(VALUE_PAIR *vp, char const *value, size_t inlen)
case PW_TYPE_BYTE:
{
char *p;
- vp->length = 1;
+ unsigned int i;
/*
* Note that ALL integers are unsigned!
*/
- vp->vp_integer = fr_strtoul(value, &p);
- if (!*p) {
- if (vp->vp_integer > 255) {
+ i = fr_strtoul(value, &p);
+
+ /*
+ * Look for the named value for the given
+ * attribute.
+ */
+ if (*p && !is_whitespace(p)) {
+ if ((dval = dict_valbyname(vp->da->attr, vp->da->vendor, value)) == NULL) {
+ fr_strerror_printf("Unknown value '%s' for attribute '%s'", value, vp->da->name);
+ return -1;
+ }
+
+ vp->vp_byte = dval->value;
+ } else {
+ if (i > 255) {
fr_strerror_printf("Byte value \"%s\" is larger than 255", value);
return -1;
}
- break;
+
+ vp->vp_byte = i;
}
- if (is_whitespace(p)) break;
+
+ vp->length = 1;
+ break;
}
- goto check_for_value;
case PW_TYPE_SHORT:
{
char *p;
+ unsigned int i;
/*
* Note that ALL integers are unsigned!
*/
- vp->vp_integer = fr_strtoul(value, &p);
- vp->length = 2;
- if (!*p) {
- if (vp->vp_integer > 65535) {
- fr_strerror_printf("Byte value \"%s\" is larger than 65535", value);
+ i = fr_strtoul(value, &p);
+
+ /*
+ * Look for the named value for the given
+ * attribute.
+ */
+ if (*p && !is_whitespace(p)) {
+ if ((dval = dict_valbyname(vp->da->attr, vp->da->vendor, value)) == NULL) {
+ fr_strerror_printf("Unknown value '%s' for attribute '%s'", value, vp->da->name);
return -1;
}
- break;
+
+ vp->vp_short = dval->value;
+ } else {
+ if (i > 65535) {
+ fr_strerror_printf("Short value \"%s\" is larger than 65535", value);
+ return -1;
+ }
+
+ vp->vp_short = i;
}
- if (is_whitespace(p)) break;
+
+ vp->length = 2;
+ break;
}
- goto check_for_value;
case PW_TYPE_INTEGER:
{
char *p;
+ unsigned int i;
/*
* Note that ALL integers are unsigned!
*/
- vp->vp_integer = fr_strtoul(value, &p);
- vp->length = 4;
- if (!*p) break;
- if (is_whitespace(p)) break;
+ i = fr_strtoul(value, &p);
- check_for_value:
/*
* Look for the named value for the given
* attribute.
*/
- if ((dval = dict_valbyname(vp->da->attr, vp->da->vendor, value)) == NULL) {
- fr_strerror_printf("Unknown value '%s' for attribute '%s'", value, vp->da->name);
- return -1;
+ if (*p && !is_whitespace(p)) {
+ if ((dval = dict_valbyname(vp->da->attr, vp->da->vendor, value)) == NULL) {
+ fr_strerror_printf("Unknown value '%s' for attribute '%s'", value, vp->da->name);
+ return -1;
+ }
+
+ vp->vp_integer = dval->value;
+ } else {
+ /*
+ * Value is always within the limits
+ */
+ vp->vp_integer = i;
}
- vp->vp_integer = dval->value;
+
+ vp->length = 4;
}
break;
diff --git a/src/main/evaluate.c b/src/main/evaluate.c
index 5cf597d..a100c70 100644
--- a/src/main/evaluate.c
+++ b/src/main/evaluate.c
@@ -485,11 +485,11 @@ static int do_cast_copy(VALUE_PAIR *dst, VALUE_PAIR const *src)
break;
case PW_TYPE_SHORT:
- dst->vp_integer = ntohs(*(uint16_t const *) src->vp_octets);
+ dst->vp_short = ntohs(*(uint16_t const *) src->vp_octets);
break;
case PW_TYPE_BYTE:
- dst->vp_integer = src->vp_octets[0];
+ dst->vp_byte = src->vp_octets[0];
break;
default:
diff --git a/src/main/valuepair.c b/src/main/valuepair.c
index dc2bfc7..2dd517a 100644
--- a/src/main/valuepair.c
+++ b/src/main/valuepair.c
@@ -180,7 +180,11 @@ int radius_compare_vps(UNUSED REQUEST *request, VALUE_PAIR *check, VALUE_PAIR *v
break;
case PW_TYPE_BYTE:
+ ret = vp->vp_byte - check->vp_byte;
+ break;
case PW_TYPE_SHORT:
+ ret = vp->vp_short - check->vp_short;
+ break;
case PW_TYPE_INTEGER:
ret = vp->vp_integer - check->vp_integer;
break;
diff --git a/src/main/xlat.c b/src/main/xlat.c
index f2c8aff..a069919 100644
--- a/src/main/xlat.c
+++ b/src/main/xlat.c
@@ -177,9 +177,11 @@ static ssize_t xlat_integer(UNUSED void *instance, REQUEST *request,
case PW_TYPE_INTEGER:
case PW_TYPE_DATE:
+ return snprintf(out, outlen, "%u", vp->vp_integer);
case PW_TYPE_BYTE:
+ return snprintf(out, outlen, "%u", (unsigned int) vp->vp_byte);
case PW_TYPE_SHORT:
- return snprintf(out, outlen, "%u", vp->vp_integer);
+ return snprintf(out, outlen, "%u", (unsigned int) vp->vp_short);
/*
* Ethernet is weird... It's network related, so we assume to it should be
diff --git a/src/modules/rlm_couchbase/mod.c b/src/modules/rlm_couchbase/mod.c
index cc14677..36406a0 100644
--- a/src/modules/rlm_couchbase/mod.c
+++ b/src/modules/rlm_couchbase/mod.c
@@ -296,22 +296,33 @@ json_object *mod_value_pair_to_json_object(REQUEST *request, VALUE_PAIR *vp)
/* add this attribute/value pair to our json output */
if (!vp->da->flags.has_tag) {
+ unsigned int i;
+
switch (vp->da->type) {
case PW_TYPE_INTEGER:
- case PW_TYPE_BYTE:
+ i = vp->vp_integer;
+ goto print_int;
+
case PW_TYPE_SHORT:
+ i = vp->vp_short;
+ goto print_int;
+
+ case PW_TYPE_BYTE:
+ i = vp->vp_byte;
+
+ print_int:
/* skip if we have flags */
if (vp->da->flags.has_value) break;
#ifdef HAVE_JSON_OBJECT_NEW_INT64
/* debug */
RDEBUG3("creating new int64 for unsigned 32 bit int/byte/short '%s'", vp->da->name);
/* return as 64 bit int - JSON spec does not support unsigned ints */
- return json_object_new_int64(vp->vp_integer);
+ return json_object_new_int64(i);
#else
/* debug */
RDEBUG3("creating new int for unsigned 32 bit int/byte/short '%s'", vp->da->name);
/* return as 64 bit int - JSON spec does not support unsigned ints */
- return json_object_new_int(vp->vp_integer);
+ return json_object_new_int(i);
#endif
break;
case PW_TYPE_SIGNED:
diff --git a/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c b/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c
index 152f4ca..55e8e14 100644
--- a/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c
+++ b/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c
@@ -325,12 +325,12 @@ static VALUE_PAIR *diameter2vp(REQUEST *request, REQUEST *fake, SSL *ssl,
case PW_TYPE_BYTE:
if (size != vp->length) goto raw;
- vp->vp_integer = data[0];
+ vp->vp_byte = data[0];
break;
case PW_TYPE_SHORT:
if (size != vp->length) goto raw;
- vp->vp_integer = (data[0] * 256) + data[1];
+ vp->vp_short = (data[0] * 256) + data[1];
break;
case PW_TYPE_SIGNED:
--
2.1.0

27
freeradius-add-P-option-to-radtest-synopsis.patch
View File

@ -1,27 +0,0 @@
From 50d13805262202627e0a8494508202d21a86c18b Mon Sep 17 00:00:00 2001
From: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
Date: Mon, 27 Oct 2014 16:24:09 +0200
Subject: [PATCH 2/2] man: Add -P option to radtest synopsis
Add "-P" option to radtest's manpage SYNOPSIS to make it match the
OPTIONS section.
---
man/man1/radtest.1 | 2 ++
1 file changed, 2 insertions(+)
diff --git a/man/man1/radtest.1 b/man/man1/radtest.1
index 587870c..b318477 100644
--- a/man/man1/radtest.1
+++ b/man/man1/radtest.1
@@ -5,6 +5,8 @@ radtest - send packets to a RADIUS server, show reply
.B radtest
.RB [ \-d
.IR raddb_directory ]
+.RB [ \-P
+.IR tcp/udp ]
.RB [ \-t
.IR pap/chap/mschap/eap-md5 ]
.RB [ \-x
--
2.1.1

258
freeradius-add-disable-openssl-version-check.patch
View File

@ -1,258 +0,0 @@
From 10636fbfd51320c8ca8b40651bf3e959211ca921 Mon Sep 17 00:00:00 2001
From: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
Date: Tue, 21 Oct 2014 18:30:05 +0300
Subject: [PATCH 1/1] Add --disable-openssl-version-check option
Add "--disable-openssl-version-check" configure option, which removes
checking for vulnerable OpenSSL versions. It is supposed to be used by
downstream packagers and distributions who have other means to ensure
vulnerabilities are fixed, such as versioned package dependencies and
vulnerability handling processes.
This avoids the necessity of editing radiusd.conf on package upgrade to
make sure it keeps working. At the same time, it provides safe default
to those installing FreeRADIUS from source.
---
configure | 30 ++++++++++++++++++++++++++++++
configure.ac | 26 ++++++++++++++++++++++++++
raddb/radiusd.conf.in | 10 +---------
src/include/autoconf.h.in | 3 +++
src/include/radiusd.h | 2 ++
src/include/tls-h | 2 ++
src/main/mainconfig.c | 2 ++
src/main/radiusd.c | 2 ++
src/main/tls.c | 4 ++++
9 files changed, 72 insertions(+), 9 deletions(-)
diff --git a/configure b/configure
index 1b54efd..addfeba 100755
--- a/configure
+++ b/configure
@@ -652,6 +652,7 @@ RUSERS
SNMPWALK
SNMPGET
PERL
+openssl_version_check_config
modconfdir
dictdir
raddbdir
@@ -754,6 +755,7 @@ with_rlm_FOO_include_dir
with_openssl
with_openssl_lib_dir
with_openssl_include_dir
+enable_openssl_version_check
with_talloc_lib_dir
with_talloc_include_dir
with_pcap_lib_dir
@@ -1396,6 +1398,9 @@ Optional Features:
--disable-largefile omit support for large files
--enable-strict-dependencies fail configure on lack of module dependancy.
--enable-werror causes the build to fail if any warnings are generated.
+ --disable-openssl-version-check
+ disable vulnerable OpenSSL version check
+
Optional Packages:
--with-PACKAGE[=ARG] use PACKAGE [ARG=yes]
@@ -5430,6 +5435,31 @@ if test "${with_openssl_include_dir+set}" = set; then :
fi
+# Check whether --enable-openssl-version-check was given.
+if test "${enable_openssl_version_check+set}" = set; then :
+ enableval=$enable_openssl_version_check;
+fi
+
+if test "x$enable_openssl_version_check" != "xno"; then
+
+$as_echo "#define ENABLE_OPENSSL_VERSION_CHECK 1" >>confdefs.h
+
+ openssl_version_check_config="\
+ #
+ # allow_vulnerable_openssl: Allow the server to start with
+ # versions of OpenSSL known to have critical vulnerabilities.
+ #
+ # This check is based on the version number reported by libssl
+ # and may not reflect patches applied to libssl by
+ # distribution maintainers.
+ #
+ allow_vulnerable_openssl = no"
+else
+ openssl_version_check_config=
+fi
+
+
+
CHECKRAD=checkrad
# Extract the first word of "perl", so it can be a program name with args.
diff --git a/configure.ac b/configure.ac
index 30b226b..b223505 100644
--- a/configure.ac
+++ b/configure.ac
@@ -576,6 +576,32 @@ AC_ARG_WITH(openssl-include-dir,
esac ]
)
+dnl #
+dnl # extra argument: --disable-openssl-version-check
+dnl #
+AC_ARG_ENABLE(openssl-version-check,
+[AS_HELP_STRING([--disable-openssl-version-check],
+ [disable vulnerable OpenSSL version check])]
+)
+if test "x$enable_openssl_version_check" != "xno"; then
+ AC_DEFINE(ENABLE_OPENSSL_VERSION_CHECK, [1],
+ [Define to 1 to have OpenSSL version check enabled])
+ openssl_version_check_config="\
+ #
+ # allow_vulnerable_openssl: Allow the server to start with
+ # versions of OpenSSL known to have critical vulnerabilities.
+ #
+ # This check is based on the version number reported by libssl
+ # and may not reflect patches applied to libssl by
+ # distribution maintainers.
+ #
+ allow_vulnerable_openssl = no"
+else
+ openssl_version_check_config=
+fi
+AC_SUBST([openssl_version_check_config])
+
+
dnl #############################################################
dnl #
dnl # 1. Checks for programs
diff --git a/raddb/radiusd.conf.in b/raddb/radiusd.conf.in
index 307ae10..0e1ff46 100644
--- a/raddb/radiusd.conf.in
+++ b/raddb/radiusd.conf.in
@@ -475,15 +475,7 @@ security {
#
status_server = yes
- #
- # allow_vulnerable_openssl: Allow the server to start with
- # versions of OpenSSL known to have critical vulnerabilities.
- #
- # This check is based on the version number reported by libssl
- # and may not reflect patches applied to libssl by
- # distribution maintainers.
- #
- allow_vulnerable_openssl = no
+@openssl_version_check_config@
}
# PROXY CONFIGURATION
diff --git a/src/include/autoconf.h.in b/src/include/autoconf.h.in
index c313bca..f500049 100644
--- a/src/include/autoconf.h.in
+++ b/src/include/autoconf.h.in
@@ -9,6 +9,9 @@
/* style of ctime_r function */
#undef CTIMERSTYLE
+/* Define to 1 to have OpenSSL version check enabled */
+#undef ENABLE_OPENSSL_VERSION_CHECK
+
/* style of gethostbyaddr_r functions */
#undef GETHOSTBYADDRRSTYLE
diff --git a/src/include/radiusd.h b/src/include/radiusd.h
index ebe3a21..1ec6959 100644
--- a/src/include/radiusd.h
+++ b/src/include/radiusd.h
@@ -437,7 +437,9 @@ typedef struct main_config_t {
#endif
uint32_t reject_delay;
bool status_server;
+#ifdef ENABLE_OPENSSL_VERSION_CHECK
char const *allow_vulnerable_openssl;
+#endif
uint32_t max_request_time;
uint32_t cleanup_delay;
diff --git a/src/include/tls-h b/src/include/tls-h
index ade93d5..1418ea2 100644
--- a/src/include/tls-h
+++ b/src/include/tls-h
@@ -295,7 +295,9 @@ int cbtls_verify(int ok, X509_STORE_CTX *ctx);
/* TLS */
void tls_global_init(void);
+#ifdef ENABLE_OPENSSL_VERSION_CHECK
int tls_global_version_check(char const *acknowledged);
+#endif
void tls_global_cleanup(void);
tls_session_t *tls_new_session(TALLOC_CTX *ctx, fr_tls_server_conf_t *conf, REQUEST *request, bool client_cert);
tls_session_t *tls_new_client_session(fr_tls_server_conf_t *conf, int fd);
diff --git a/src/main/mainconfig.c b/src/main/mainconfig.c
index cf1eea5..76979ad 100644
--- a/src/main/mainconfig.c
+++ b/src/main/mainconfig.c
@@ -99,7 +99,9 @@ static const CONF_PARSER security_config[] = {
{ "max_attributes", FR_CONF_POINTER(PW_TYPE_INTEGER, &fr_max_attributes), STRINGIFY(0) },
{ "reject_delay", FR_CONF_POINTER(PW_TYPE_INTEGER, &main_config.reject_delay), STRINGIFY(0) },
{ "status_server", FR_CONF_POINTER(PW_TYPE_BOOLEAN, &main_config.status_server), "no"},
+#ifdef ENABLE_OPENSSL_VERSION_CHECK
{ "allow_vulnerable_openssl", FR_CONF_POINTER(PW_TYPE_STRING, &main_config.allow_vulnerable_openssl), "no"},
+#endif
{ NULL, -1, 0, NULL, NULL }
};
diff --git a/src/main/radiusd.c b/src/main/radiusd.c
index 620d7d4..fe8057d 100644
--- a/src/main/radiusd.c
+++ b/src/main/radiusd.c
@@ -359,10 +359,12 @@ int main(int argc, char *argv[])
/* Check for vulnerabilities in the version of libssl were linked against */
#ifdef HAVE_OPENSSL_CRYPTO_H
+#ifdef ENABLE_OPENSSL_VERSION_CHECK
if (tls_global_version_check(main_config.allow_vulnerable_openssl) < 0) {
exit(EXIT_FAILURE);
}
#endif
+#endif
/*
* Load the modules
diff --git a/src/main/tls.c b/src/main/tls.c
index 542ce69..42b538c 100644
--- a/src/main/tls.c
+++ b/src/main/tls.c
@@ -51,6 +51,7 @@ USES_APPLE_DEPRECATED_API /* OpenSSL API has been deprecated by Apple */
#include <openssl/ocsp.h>
#endif
+#ifdef ENABLE_OPENSSL_VERSION_CHECK
typedef struct libssl_defect {
uint64_t high;
uint64_t low;
@@ -71,6 +72,7 @@ static libssl_defect_t libssl_defects[] =
.comment = "For more information see http://heartbleed.com"
}
};
+#endif
/* record */
static void record_init(record_t *buf);
@@ -2063,6 +2065,7 @@ void tls_global_init(void)
OPENSSL_config(NULL);
}
+#ifdef ENABLE_OPENSSL_VERSION_CHECK
/** Check for vulnerable versions of libssl
*
* @param acknowledged The highest CVE number a user has confirmed is not present in the system's libssl.
@@ -2101,6 +2104,7 @@ int tls_global_version_check(char const *acknowledged)
return 0;
}
+#endif
/** Free any memory alloced by libssl
*
--
2.1.1

37
freeradius-added-D-option-to-mirror-radclient.patch
View File

@ -1,37 +0,0 @@
From 08700ea8b1f3a1ace01d294548f3ba2391cc06ab Mon Sep 17 00:00:00 2001
From: "Alan T. DeKok" <aland@freeradius.org>
Date: Sun, 2 Nov 2014 14:44:32 -0500
Subject: [PATCH 1/1] Added -D option to mirror radclient
---
src/modules/proto_dhcp/dhcpclient.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/src/modules/proto_dhcp/dhcpclient.c b/src/modules/proto_dhcp/dhcpclient.c
index ac52ffd..3bce4b3 100644
--- a/src/modules/proto_dhcp/dhcpclient.c
+++ b/src/modules/proto_dhcp/dhcpclient.c
@@ -73,6 +73,7 @@ static void NEVER_RETURNS usage(void)
fprintf(stderr, " <command> One of discover, request, offer, decline, release, inform.\n");
fprintf(stderr, " -d <directory> Set the directory where the dictionaries are stored (defaults to " RADDBDIR ").\n");
+ fprintf(stderr, " -D <dictdir> Set main dictionary directory (defaults to " DICTDIR ").\n");
fprintf(stderr, " -f <file> Read packets from file, not stdin.\n");
fprintf(stderr, " -t <timeout> Wait 'timeout' seconds for a reply (may be a floating point number).\n");
fprintf(stderr, " -v Show program version information.\n");
@@ -270,7 +271,11 @@ int main(int argc, char **argv)
fr_debug_flag = 0;
- while ((c = getopt(argc, argv, "d:f:hr:t:vx")) != EOF) switch(c) {
+ while ((c = getopt(argc, argv, "d:D:f:hr:t:vx")) != EOF) switch(c) {
+ case 'D':
+ dict_dir = optarg;
+ break;
+
case 'd':
radius_dir = optarg;
break;
--
2.1.3

280
freeradius-connection-fall-through-to-global-module-triggers.patch
View File

@ -1,280 +0,0 @@
From 132992fe92d53d62499d8c4672feafe210efc573 Mon Sep 17 00:00:00 2001
From: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
Date: Fri, 24 Oct 2014 14:37:11 +0300
Subject: [PATCH 4/4] connection: Fall through to global module triggers
Make module connection pool triggers use global module trigger
configuration, if there is no "trigger" section in the pool section.
Use fully-qualified module-specific trigger names for module-specific
connection pools in connection.c.
E.g. trigger "modules.ldap.open", instead of just "open" for pools
initialized with fr_connection_pool_module_init, being passed "ldap"
config section.
Send triggers even if the pool has no "trigger" section.
This makes exec_trigger fall through to global module triggers, if the
pool configuration doesn't have the "trigger" section.
---
src/include/connection.h | 3 +-
src/main/connection.c | 81 ++++++++++++++++++++++++++++++------------------
2 files changed, 53 insertions(+), 31 deletions(-)
diff --git a/src/include/connection.h b/src/include/connection.h
index e3752d5..eaf44e8 100644
--- a/src/include/connection.h
+++ b/src/include/connection.h
@@ -81,7 +81,8 @@ fr_connection_pool_t *fr_connection_pool_init(CONF_SECTION *parent,
void *opaque,
fr_connection_create_t c,
fr_connection_alive_t a,
- char const *prefix);
+ char const *log_prefix,
+ char const *trigger_prefix);
void fr_connection_pool_delete(fr_connection_pool_t *pool);
void *fr_connection_get(fr_connection_pool_t *pool);
diff --git a/src/main/connection.c b/src/main/connection.c
index 5f0c8f6..aec4f9d 100644
--- a/src/main/connection.c
+++ b/src/main/connection.c
@@ -110,10 +110,6 @@ struct fr_connection_pool_t {
uint32_t idle_timeout; //!< How long a connection can be idle
//!< before being closed.
- bool trigger; //!< If true execute connection triggers
- //!< associated with the connection
- //!< pool.
-
bool spread; //!< If true requests will be spread
//!< across all connections, instead of
//!< re-using the most recently used
@@ -158,6 +154,11 @@ struct fr_connection_pool_t {
//!< messages created by the connection
//!< pool code.
+ char const *trigger_prefix; //!< Prefix to prepend to
+ //!< names of all triggers
+ //!< fired by the connection
+ //!< pool code.
+
fr_connection_create_t create; //!< Function used to create new
//!< connections.
fr_connection_alive_t alive; //!< Function used to check status
@@ -271,6 +272,20 @@ static void fr_connection_link_tail(fr_connection_pool_t *pool,
}
}
+/** Send a connection pool trigger.
+ *
+ * @param[in] pool to send trigger for.
+ * @param[in] name_suffix trigger name suffix.
+ */
+static void fr_connection_exec_trigger(fr_connection_pool_t *pool,
+ char const *name_suffix)
+{
+ char name[64];
+ rad_assert(pool != NULL);
+ rad_assert(name_suffix != NULL);
+ snprintf(name, sizeof(name), "%s%s", pool->trigger_prefix, name_suffix);
+ exec_trigger(NULL, pool->cs, name, true);
+}
/** Spawns a new connection
*
@@ -403,7 +418,7 @@ static fr_connection_t *fr_connection_spawn(fr_connection_pool_t *pool,
pthread_mutex_unlock(&pool->mutex);
- if (pool->trigger) exec_trigger(NULL, pool->cs, "open", true);
+ fr_connection_exec_trigger(pool, "open");
return this;
}
@@ -436,7 +451,7 @@ static void fr_connection_close(fr_connection_pool_t *pool,
pool->active--;
}
- if (pool->trigger) exec_trigger(NULL, pool->cs, "close", true);
+ fr_connection_exec_trigger(pool, "close");
fr_connection_unlink(pool, this);
rad_assert(pool->num > 0);
@@ -542,7 +557,7 @@ void fr_connection_pool_delete(fr_connection_pool_t *pool)
fr_connection_close(pool, this);
}
- if (pool->trigger) exec_trigger(NULL, pool->cs, "stop", true);
+ fr_connection_exec_trigger(pool, "stop");
rad_assert(pool->head == NULL);
rad_assert(pool->tail == NULL);
@@ -559,33 +574,36 @@ void fr_connection_pool_delete(fr_connection_pool_t *pool)
* @param[in] opaque data pointer to pass to callbacks.
* @param[in] c Callback to create new connections.
* @param[in] a Callback to check the status of connections.
- * @param[in] prefix override, if NULL will be set automatically from the module CONF_SECTION.
+ * @param[in] log_prefix override, if NULL will be set automatically from the module CONF_SECTION.
* @return A new connection pool or NULL on error.
*/
fr_connection_pool_t *fr_connection_pool_module_init(CONF_SECTION *module,
void *opaque,
fr_connection_create_t c,
fr_connection_alive_t a,
- char const *prefix)
+ char const *log_prefix)
{
CONF_SECTION *cs, *mycs;
char buff[128];
+ char trigger_prefix[64];
fr_connection_pool_t *pool;
+ char const *cs_name1, *cs_name2;
int ret;
#define CONNECTION_POOL_CF_KEY "connection_pool"
#define parent_name(_x) cf_section_name(cf_item_parent(cf_sectiontoitem(_x)))
- if (!prefix) {
- char const *cs_name1, *cs_name2;
- cs_name1 = cf_section_name1(module);
- cs_name2 = cf_section_name2(module);
- if (!cs_name2) cs_name2 = cs_name1;
+ cs_name1 = cf_section_name1(module);
+ cs_name2 = cf_section_name2(module);
+ if (!cs_name2) cs_name2 = cs_name1;
+
+ snprintf(trigger_prefix, sizeof(trigger_prefix), "modules.%s.", cs_name1);
+ if (!log_prefix) {
snprintf(buff, sizeof(buff), "rlm_%s (%s)", cs_name1, cs_name2);
- prefix = buff;
+ log_prefix = buff;
}
/*
@@ -597,11 +615,11 @@ fr_connection_pool_t *fr_connection_pool_module_init(CONF_SECTION *module,
return NULL;
case 1:
- DEBUG4("%s: Using pool section from \"%s\"", prefix, parent_name(cs));
+ DEBUG4("%s: Using pool section from \"%s\"", log_prefix, parent_name(cs));
break;
case 0:
- DEBUG4("%s: Using local pool section", prefix);
+ DEBUG4("%s: Using local pool section", log_prefix);
break;
}
@@ -610,7 +628,7 @@ fr_connection_pool_t *fr_connection_pool_module_init(CONF_SECTION *module,
*/
mycs = cf_section_sub_find(module, "pool");
if (!mycs) {
- DEBUG4("%s: Adding pool section to \"%s\" to store pool references", prefix,
+ DEBUG4("%s: Adding pool section to \"%s\" to store pool references", log_prefix,
cf_section_name(module));
mycs = cf_section_alloc(module, "pool", NULL);
@@ -622,7 +640,7 @@ fr_connection_pool_t *fr_connection_pool_module_init(CONF_SECTION *module,
* Use our own local pool.
*/
if (!cs) {
- DEBUG4("%s: \"%s.pool\" section not found, using \"%s.pool\"", prefix,
+ DEBUG4("%s: \"%s.pool\" section not found, using \"%s.pool\"", log_prefix,
parent_name(cs), parent_name(mycs));
cs = mycs;
}
@@ -636,16 +654,16 @@ fr_connection_pool_t *fr_connection_pool_module_init(CONF_SECTION *module,
*/
pool = cf_data_find(cs, CONNECTION_POOL_CF_KEY);
if (!pool) {
- DEBUG4("%s: No pool reference found in \"%s.pool\"", prefix, parent_name(cs));
- pool = fr_connection_pool_init(module, cs, opaque, c, a, prefix);
+ DEBUG4("%s: No pool reference found in \"%s.pool\"", log_prefix, parent_name(cs));
+ pool = fr_connection_pool_init(module, cs, opaque, c, a, log_prefix, trigger_prefix);
if (!pool) return NULL;
- DEBUG4("%s: Adding pool reference %p to \"%s.pool\"", prefix, pool, parent_name(cs));
+ DEBUG4("%s: Adding pool reference %p to \"%s.pool\"", log_prefix, pool, parent_name(cs));
cf_data_add(cs, CONNECTION_POOL_CF_KEY, pool, NULL);
return pool;
}
- DEBUG4("%s: Found pool reference %p in \"%s.pool\"", prefix, pool, parent_name(cs));
+ DEBUG4("%s: Found pool reference %p in \"%s.pool\"", log_prefix, pool, parent_name(cs));
/*
* We're reusing pool data add it to our local config
@@ -653,7 +671,7 @@ fr_connection_pool_t *fr_connection_pool_module_init(CONF_SECTION *module,
* re-use a pool through this module.
*/
if (mycs != cs) {
- DEBUG4("%s: Copying pool reference %p from \"%s.pool\" to \"%s.pool\"", prefix, pool,
+ DEBUG4("%s: Copying pool reference %p from \"%s.pool\" to \"%s.pool\"", log_prefix, pool,
parent_name(cs), parent_name(mycs));
cf_data_add(mycs, CONNECTION_POOL_CF_KEY, pool, NULL);
}
@@ -676,7 +694,8 @@ fr_connection_pool_t *fr_connection_pool_module_init(CONF_SECTION *module,
* @param[in] opaque data pointer to pass to callbacks.
* @param[in] c Callback to create new connections.
* @param[in] a Callback to check the status of connections.
- * @param[in] prefix to prepend to all log messages.
+ * @param[in] log_prefix prefix to prepend to all log messages.
+ * @param[in] trigger_prefix prefix to prepend to all trigger names.
* @return A new connection pool or NULL on error.
*/
fr_connection_pool_t *fr_connection_pool_init(CONF_SECTION *parent,
@@ -684,7 +703,8 @@ fr_connection_pool_t *fr_connection_pool_init(CONF_SECTION *parent,
void *opaque,
fr_connection_create_t c,
fr_connection_alive_t a,
- char const *prefix)
+ char const *log_prefix,
+ char const *trigger_prefix)
{
uint32_t i;
fr_connection_pool_t *pool;
@@ -720,7 +740,9 @@ fr_connection_pool_t *fr_connection_pool_init(CONF_SECTION *parent,
pool->head = pool->tail = NULL;
- pool->log_prefix = prefix ? talloc_typed_strdup(pool, prefix) : "core";
+ pool->log_prefix = log_prefix ? talloc_typed_strdup(pool, log_prefix) : "core";
+ pool->trigger_prefix = trigger_prefix ?
+ talloc_typed_strdup(pool, trigger_prefix) : "";
#ifdef HAVE_PTHREAD_H
pthread_mutex_init(&pool->mutex, NULL);
@@ -729,7 +751,6 @@ fr_connection_pool_t *fr_connection_pool_init(CONF_SECTION *parent,
DEBUG("%s: Initialising connection pool", pool->log_prefix);
if (cf_section_parse(cs, pool, connection_config) < 0) goto error;
- if (cf_section_sub_find(cs, "trigger")) pool->trigger = true;
/*
* Some simple limits
@@ -780,7 +801,7 @@ fr_connection_pool_t *fr_connection_pool_init(CONF_SECTION *parent,
}
}
- if (pool->trigger) exec_trigger(NULL, pool->cs, "start", true);
+ fr_connection_exec_trigger(pool, "start");
return pool;
}
@@ -1222,7 +1243,7 @@ void *fr_connection_reconnect(fr_connection_pool_t *pool, void *conn)
return NULL;
}
- if (pool->trigger) exec_trigger(NULL, pool->cs, "close", true);
+ fr_connection_exec_trigger(pool, "close");
this->connection = new_conn;
pthread_mutex_unlock(&pool->mutex);
--
2.1.1

26
freeradius-dhcpclient-Add-a-short-description-to-help-output.patch
View File

@ -1,26 +0,0 @@
From 313d551547efa8493741ef1344e0629aab04dd70 Mon Sep 17 00:00:00 2001
From: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
Date: Fri, 5 Dec 2014 15:07:59 +0200
Subject: [PATCH 3/3] dhcpclient: Add a short description to help output
Add a short description of the program's function to the help output of
dhcpclient.
---
src/modules/proto_dhcp/dhcpclient.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/modules/proto_dhcp/dhcpclient.c b/src/modules/proto_dhcp/dhcpclient.c
index 64debfe..5677588 100644
--- a/src/modules/proto_dhcp/dhcpclient.c
+++ b/src/modules/proto_dhcp/dhcpclient.c
@@ -70,6 +70,7 @@ char const *dhcpclient_version = "dhcpclient version " RADIUSD_VERSION_STRING
static void NEVER_RETURNS usage(void)
{
fprintf(stderr, "Usage: dhcpclient [options] server[:port] <command>\n");
+ fprintf(stderr, "Send a DHCP request with provided RADIUS attrs and output response.\n");
fprintf(stderr, " <command> One of discover, request, offer, decline, release, inform.\n");
fprintf(stderr, " -d <directory> Set the directory where the dictionaries are stored (defaults to " RADDBDIR ").\n");
--
2.1.3

50
freeradius-dont-detach-after-perl_parse.patch
View File

@ -1,50 +0,0 @@
From fa9b2cd01fb5dbe583f5063f611a45c9d033a54a Mon Sep 17 00:00:00 2001
From: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
Date: Tue, 30 Sep 2014 16:19:47 +0300
Subject: [PATCH 1/1] perl: Don't call detach after failed perl_parse
Don't call "detach" callback in rlm_perl, if perl_parse of the Perl
module failed.
This fixes segfault when the module file cannot be read:
Can't open perl script "/etc/raddb/mods-config/perl/example.pl": Permission denied
rlm_perl: perl_parse failed: /etc/raddb/mods-config/perl/example.pl not found or has syntax errors.
/etc/raddb/mods-enabled/perl[7]: Instantiation failed for module "perl"
Segmentation fault
---
src/modules/rlm_perl/rlm_perl.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/modules/rlm_perl/rlm_perl.c b/src/modules/rlm_perl/rlm_perl.c
index d423524..039d7c8 100644
--- a/src/modules/rlm_perl/rlm_perl.c
+++ b/src/modules/rlm_perl/rlm_perl.c
@@ -73,6 +73,7 @@ typedef struct rlm_perl_t {
char const *xlat_name;
char const *perl_flags;
PerlInterpreter *perl;
+ bool perl_parsed;
pthread_key_t *thread_key;
#ifdef USE_ITHREADS
@@ -538,6 +539,7 @@ static int mod_instantiate(CONF_SECTION *conf, void *instance)
PL_endav = (AV *)NULL;
if(!exitstatus) {
+ inst->perl_parsed = true;
perl_run(inst->perl);
} else {
ERROR("rlm_perl: perl_parse failed: %s not found or has syntax errors. \n", inst->module);
@@ -1012,7 +1014,7 @@ static int mod_detach(void *instance)
}
#endif
- if (inst->func_detach) {
+ if (inst->perl_parsed && inst->func_detach) {
dTHXa(inst->perl);
PERL_SET_CONTEXT(inst->perl);
{
--
2.1.0

46
freeradius-dont-swap-uint128-printing-on-be.patch
View File

@ -1,46 +0,0 @@
From 168275c3f4ffe9d0e09ed7a3789b45b440416f73 Mon Sep 17 00:00:00 2001
From: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
Date: Wed, 1 Oct 2014 16:32:11 +0300
Subject: [PATCH 4/4] Don't assume little-endian in fr_prints_uint128
Add handling of big-endian architectures to fr_prints_uint128.
---
src/lib/misc.c | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
diff --git a/src/lib/misc.c b/src/lib/misc.c
index 66171ff..d0ccd6c 100644
--- a/src/lib/misc.c
+++ b/src/lib/misc.c
@@ -1366,6 +1366,13 @@ size_t fr_prints_uint128(char *out, size_t outlen, uint128_t const num)
uint64_t n[2];
char *p = buff;
int i;
+#ifdef RADIUS_LITTLE_ENDIAN
+ const size_t l = 0;
+ const size_t h = 1;
+#else
+ const size_t l = 1;
+ const size_t h = 0;
+#endif
memset(buff, '0', sizeof(buff) - 1);
buff[sizeof(buff) - 1] = '\0';
@@ -1376,11 +1383,11 @@ size_t fr_prints_uint128(char *out, size_t outlen, uint128_t const num)
ssize_t j;
int carry;
- carry = (n[1] >= 0x8000000000000000);
+ carry = (n[h] >= 0x8000000000000000);
// Shift n[] left, doubling it
- n[1] = ((n[1] << 1) & 0xffffffffffffffff) + (n[0] >= 0x8000000000000000);
- n[0] = ((n[0] << 1) & 0xffffffffffffffff);
+ n[h] = ((n[h] << 1) & 0xffffffffffffffff) + (n[l] >= 0x8000000000000000);
+ n[l] = ((n[l] << 1) & 0xffffffffffffffff);
// Add s[] to itself in decimal, doubling it
for (j = sizeof(buff) - 2; j >= 0; j--) {
--
2.1.0

27
freeradius-dont-truncate-uint64.patch
View File

@ -1,27 +0,0 @@
From de77beacf1c0bd64335f0f949af9da71437d3ba5 Mon Sep 17 00:00:00 2001
From: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
Date: Tue, 30 Sep 2014 22:27:36 +0300
Subject: [PATCH 1/4] Don't truncate 64-bit integers in do_cast_copy
Assign converted octets to vp_integer64, instead of vp_integer to avoid
truncation in do_cast_copy.
---
src/main/evaluate.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/main/evaluate.c b/src/main/evaluate.c
index f91d482..5cf597d 100644
--- a/src/main/evaluate.c
+++ b/src/main/evaluate.c
@@ -475,7 +475,7 @@ static int do_cast_copy(VALUE_PAIR *dst, VALUE_PAIR const *src)
do_octets:
switch (dst->da->type) {
case PW_TYPE_INTEGER64:
- dst->vp_integer = ntohll(*(uint64_t const *) src->vp_octets);
+ dst->vp_integer64 = ntohll(*(uint64_t const *) src->vp_octets);
break;
case PW_TYPE_INTEGER:
--
2.1.0

139
freeradius-exec-dont-assume-request-presence-when-logging.patch
View File

@ -1,139 +0,0 @@
From 13c5c908548c29ab30ae2e274a5d2baa96eadae4 Mon Sep 17 00:00:00 2001
From: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
Date: Wed, 15 Oct 2014 20:03:11 +0300
Subject: [PATCH 1/4] exec: Don't assume request presence when logging
Use DEBUG* macros for logging, instead of RDEBUG* macros in
radius_start_program and radius_readfrom_program as these are not
guaranteed to be invoked with a valid request.
For example, not from most of the exec_trigger invocations.
---
src/include/radiusd.h | 2 +-
src/main/exec.c | 22 +++++++++++-----------
src/modules/rlm_mschap/rlm_mschap.c | 2 +-
3 files changed, 13 insertions(+), 13 deletions(-)
diff --git a/src/include/radiusd.h b/src/include/radiusd.h
index 21d510b..ebe3a21 100644
--- a/src/include/radiusd.h
+++ b/src/include/radiusd.h
@@ -606,7 +606,7 @@ int rad_virtual_server(REQUEST *);
pid_t radius_start_program(char const *cmd, REQUEST *request, bool exec_wait,
int *input_fd, int *output_fd,
VALUE_PAIR *input_pairs, bool shell_escape);
-int radius_readfrom_program(REQUEST *request, int fd, pid_t pid, int timeout,
+int radius_readfrom_program(int fd, pid_t pid, int timeout,
char *answer, int left);
int radius_exec_program(REQUEST *request, char const *cmd, bool exec_wait, bool shell_escape,
char *user_msg, size_t msg_len, int timeout,
diff --git a/src/main/exec.c b/src/main/exec.c
index b421053..1188d0a 100644
--- a/src/main/exec.c
+++ b/src/main/exec.c
@@ -103,16 +103,16 @@ pid_t radius_start_program(char const *cmd, REQUEST *request, bool exec_wait,
argc = rad_expand_xlat(request, cmd, MAX_ARGV, argv, true, sizeof(argv_buf), argv_buf);
if (argc <= 0) {
- RDEBUG("invalid command line '%s'.", cmd);
+ DEBUG("invalid command line '%s'.", cmd);
return -1;
}
#ifndef NDEBUG
if (debug_flag > 2) {
- RDEBUG3("executing cmd %s", cmd);
+ DEBUG3("executing cmd %s", cmd);
for (i = 0; i < argc; i++) {
- RDEBUG3("\t[%d] %s", i, argv[i]);
+ DEBUG3("\t[%d] %s", i, argv[i]);
}
}
#endif
@@ -124,13 +124,13 @@ pid_t radius_start_program(char const *cmd, REQUEST *request, bool exec_wait,
if (exec_wait) {
if (input_fd) {
if (pipe(to_child) != 0) {
- RDEBUG("Couldn't open pipe to child: %s", fr_syserror(errno));
+ DEBUG("Couldn't open pipe to child: %s", fr_syserror(errno));
return -1;
}
}
if (output_fd) {
if (pipe(from_child) != 0) {
- RDEBUG("Couldn't open pipe from child: %s", fr_syserror(errno));
+ DEBUG("Couldn't open pipe from child: %s", fr_syserror(errno));
/* safe because these either need closing or are == -1 */
close(to_child[0]);
close(to_child[1]);
@@ -206,7 +206,7 @@ pid_t radius_start_program(char const *cmd, REQUEST *request, bool exec_wait,
*/
devnull = open("/dev/null", O_RDWR);
if (devnull < 0) {
- RDEBUG("Failed opening /dev/null: %s\n", fr_syserror(errno));
+ DEBUG("Failed opening /dev/null: %s\n", fr_syserror(errno));
/*
* Where the status code is interpreted as a module rcode
@@ -287,7 +287,7 @@ pid_t radius_start_program(char const *cmd, REQUEST *request, bool exec_wait,
* Parent process.
*/
if (pid < 0) {
- RDEBUG("Couldn't fork %s: %s", argv[0], fr_syserror(errno));
+ DEBUG("Couldn't fork %s: %s", argv[0], fr_syserror(errno));
if (exec_wait) {
/* safe because these either need closing or are == -1 */
close(to_child[0]);
@@ -320,7 +320,7 @@ pid_t radius_start_program(char const *cmd, REQUEST *request, bool exec_wait,
return pid;
#else
if (exec_wait) {
- RDEBUG("Wait is not supported");
+ DEBUG("Wait is not supported");
return -1;
}
@@ -366,7 +366,7 @@ pid_t radius_start_program(char const *cmd, REQUEST *request, bool exec_wait,
* @param left length of buffer.
* @return -1 on error, or length of output.
*/
-int radius_readfrom_program(REQUEST *request, int fd, pid_t pid, int timeout,
+int radius_readfrom_program(int fd, pid_t pid, int timeout,
char *answer, int left)
{
int done = 0;
@@ -422,7 +422,7 @@ int radius_readfrom_program(REQUEST *request, int fd, pid_t pid, int timeout,
rcode = select(fd + 1, &fds, NULL, NULL, &wake);
if (rcode == 0) {
too_long:
- RDEBUG("Child PID %u is taking too much time: forcing failure and killing child.", pid);
+ DEBUG("Child PID %u is taking too much time: forcing failure and killing child.", pid);
kill(pid, SIGTERM);
close(fd); /* should give SIGPIPE to child, too */
@@ -536,7 +536,7 @@ int radius_exec_program(REQUEST *request, char const *cmd, bool exec_wait, bool
}
#ifndef __MINGW32__
- len = radius_readfrom_program(request, from_child, pid, timeout, answer, sizeof(answer));
+ len = radius_readfrom_program(from_child, pid, timeout, answer, sizeof(answer));
if (len < 0) {
/*
* Failure - radius_readfrom_program will
diff --git a/src/modules/rlm_mschap/rlm_mschap.c b/src/modules/rlm_mschap/rlm_mschap.c
index 0101ddf..03f94a9 100644
--- a/src/modules/rlm_mschap/rlm_mschap.c
+++ b/src/modules/rlm_mschap/rlm_mschap.c
@@ -794,7 +794,7 @@ static int CC_HINT(nonnull (1, 2, 4, 5)) do_mschap_cpw(rlm_mschap_t *inst,
/*
* Read from the child
*/
- len = radius_readfrom_program(request, from_child, pid, 10, buf, sizeof(buf));
+ len = radius_readfrom_program(from_child, pid, 10, buf, sizeof(buf));
if (len < 0) {
/* radius_readfrom_program will have closed from_child for us */
REDEBUG("Failure reading from child");
--
2.1.1

85
freeradius-fix-checks-for-PW_TYPE_FILE_INPUT.patch
View File

@ -1,85 +0,0 @@
From bae8305c7c1f35f853d9ffe520983c90f2a927a8 Mon Sep 17 00:00:00 2001
From: "Alan T. DeKok" <aland@freeradius.org>
Date: Sun, 5 Oct 2014 17:31:34 -0400
Subject: [PATCH 1/1] Fix checks for PW_TYPE_FILE_INPUT
---
src/main/conffile.c | 45 +++++++--------------------------------------
1 file changed, 7 insertions(+), 38 deletions(-)
diff --git a/src/main/conffile.c b/src/main/conffile.c
index 37c8aba..a221dcd 100644
--- a/src/main/conffile.c
+++ b/src/main/conffile.c
@@ -985,7 +985,7 @@ static inline int fr_item_validate_ipaddr(CONF_SECTION *cs, char const *name, PW
int cf_item_parse(CONF_SECTION *cs, char const *name, int type, void *data, char const *dflt)
{
int rcode;
- bool deprecated, required, attribute, secret;
+ bool deprecated, required, attribute, secret, input;
char **q;
char const *value;
CONF_PAIR const *cp = NULL;
@@ -998,6 +998,7 @@ int cf_item_parse(CONF_SECTION *cs, char const *name, int type, void *data, char
required = (type & PW_TYPE_REQUIRED);
attribute = (type & PW_TYPE_ATTRIBUTE);
secret = (type & PW_TYPE_SECRET);
+ input = (type == PW_TYPE_FILE_INPUT); /* check, not and */
type &= 0xff; /* normal types are small */
rcode = 0;
@@ -1157,46 +1158,14 @@ int cf_item_parse(CONF_SECTION *cs, char const *name, int type, void *data, char
cs->depth, parse_spaces, name, value ? value : "(null)");
}
*q = value ? talloc_typed_strdup(cs, value) : NULL;
- break;
-
- /*
- * This is the same as PW_TYPE_STRING,
- * except that we also "stat" the file, and
- * cache the result.
- */
- case PW_TYPE_FILE_INPUT:
- case PW_TYPE_FILE_OUTPUT:
- q = (char **) data;
- if (*q != NULL) {
- free(*q);
- }
-
- /*
- * Expand variables which haven't already been
- * expanded automagically when the configuration
- * file was read.
- */
- if ((value == dflt) && cs) {
- int lineno = 0;
-
- value = cf_expand_variables("?",
- &lineno,
- cs, buffer, sizeof(buffer),
- value);
- if (!value) return -1;
- }
-
- if (required && (!value || !*value)) goto is_required;
-
- cf_log_info(cs, "%.*s\t%s = \"%s\"",
- cs->depth, parse_spaces, name, value);
- *q = value ? talloc_typed_strdup(cs, value) : NULL;
/*
- * If the filename exists and we're supposed to
- * read it, check it.
+ * If there's data AND it's an input file, check
+ * that we can read it. This check allows errors
+ * to be caught as early as possible, during
+ * server startup.
*/
- if (*q && (type == PW_TYPE_FILE_INPUT)) {
+ if (*q && input) {
struct stat buf;
if (stat(*q, &buf) < 0) {
--
2.1.1

40
freeradius-fix-dhcp-dictionary-loading.patch
View File

@ -1,40 +0,0 @@
From dda57af171687d60e21e8e2620e87b25939d0c29 Mon Sep 17 00:00:00 2001
From: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
Date: Mon, 6 Oct 2014 17:00:25 +0300
Subject: [PATCH 1/1] dhcpclient: Load dictionary.dhcp from DICTDIR.
Load dictionary.dhcp from DICTDIR instead of RADDBDIR in dhcpclient.c,
as it is found only in the former.
This fixes the following error printed when invoking dhcpclient:
Failed reading dictionary.dhcp: dict_init: Couldn't open dictionary
"/etc/raddb/dictionary.dhcp": No such file or directory
---
src/modules/proto_dhcp/dhcpclient.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/modules/proto_dhcp/dhcpclient.c b/src/modules/proto_dhcp/dhcpclient.c
index b29b9a2..ac52ffd 100644
--- a/src/modules/proto_dhcp/dhcpclient.c
+++ b/src/modules/proto_dhcp/dhcpclient.c
@@ -264,6 +264,7 @@ int main(int argc, char **argv)
char *p;
int c;
char const *radius_dir = RADDBDIR;
+ char const *dict_dir = DICTDIR;
char const *filename = NULL;
DICT_ATTR const *da;
@@ -315,7 +316,7 @@ int main(int argc, char **argv)
*/
da = dict_attrbyname("DHCP-Message-Type");
if (!da) {
- if (dict_read(radius_dir, "dictionary.dhcp") < 0) {
+ if (dict_read(dict_dir, "dictionary.dhcp") < 0) {
fprintf(stderr, "Failed reading dictionary.dhcp: %s",
fr_strerror());
return -1;
--
2.1.1

59
freeradius-ignore-SIGTERM-when-firing-stop-and-signal.term.patch
View File

@ -1,59 +0,0 @@
From b5b92669c32b50b2f96a3ae53d4222d6cb3d1287 Mon Sep 17 00:00:00 2001
From: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
Date: Tue, 28 Oct 2014 15:57:56 +0200
Subject: [PATCH 1/1] Ignore SIGTERM when firing stop and signal.term
Move firing "server.stop" and "server.signal.term" triggers beyond
setting SIGTERM action to SIG_IGN in main().
This way handler commands for these triggers don't receive SIGTERM with
the rest of the process group and don't possibly terminate before doing
their work. E.g. snmptrap manages to send the notifications.
---
src/main/process.c | 1 -
src/main/radiusd.c | 10 ++++++++--
2 files changed, 8 insertions(+), 3 deletions(-)
diff --git a/src/main/process.c b/src/main/process.c
index 7e1a51e..f427205 100644
--- a/src/main/process.c
+++ b/src/main/process.c
@@ -4536,7 +4536,6 @@ static void handle_signal_self(int flag)
fr_event_loop_exit(el, 1);
} else {
INFO("Signalled to terminate");
- exec_trigger(NULL, NULL, "server.signal.term", true);
fr_event_loop_exit(el, 2);
}
diff --git a/src/main/radiusd.c b/src/main/radiusd.c
index 620d7d4..86c7013 100644
--- a/src/main/radiusd.c
+++ b/src/main/radiusd.c
@@ -592,8 +592,6 @@ int main(int argc, char *argv[])
INFO("Exiting normally");
}
- exec_trigger(NULL, NULL, "server.stop", false);
-
/*
* Ignore the TERM signal: we're
* about to die.
@@ -601,6 +599,14 @@ int main(int argc, char *argv[])
signal(SIGTERM, SIG_IGN);
/*
+ * Fire signal and stop triggers after ignoring SIGTERM, so handlers are
+ * not killed with the rest of the process group, below.
+ */
+ if (status == 2)
+ exec_trigger(NULL, NULL, "server.signal.term", true);
+ exec_trigger(NULL, NULL, "server.stop", false);
+
+ /*
* Send a TERM signal to all
* associated processes
* (including us, which gets
--
2.1.1

53
freeradius-make-grp-tallo-c-too.patch
View File

@ -1,53 +0,0 @@
From d51daa8f56f5c55f2effdb308ef4a14016118753 Mon Sep 17 00:00:00 2001
From: "Alan T. DeKok" <aland@freeradius.org>
Date: Sun, 5 Oct 2014 17:22:26 -0400
Subject: [PATCH 1/1] Make grp tallo'c, too
---
src/modules/rlm_unix/rlm_unix.c | 14 +++++++++-----
1 file changed, 9 insertions(+), 5 deletions(-)
diff --git a/src/modules/rlm_unix/rlm_unix.c b/src/modules/rlm_unix/rlm_unix.c
index 0a01074..9e55c26 100644
--- a/src/modules/rlm_unix/rlm_unix.c
+++ b/src/modules/rlm_unix/rlm_unix.c
@@ -75,20 +75,20 @@ static const CONF_PARSER module_config[] = {
#else
static struct group *fr_getgrnam(TALLOC_CTX *ctx, char const *name)
{
- struct group *grp, my_group;
+ struct group *grp, *result;
char *group_buffer;
size_t group_size = 1024;
- grp = NULL;
- group_buffer = talloc_array(ctx, char, group_size);
+ grp = talloc(ctx, struct group);
+ group_buffer = talloc_array(grp, char, group_size);
while (group_buffer) {
int err;
- err = getgrnam_r(name, &my_group, group_buffer, group_size, &grp);
+ err = getgrnam_r(name, grp, group_buffer, group_size, &result);
if (err == ERANGE) {
group_size *= 2;
talloc_free(group_buffer);
- group_buffer = talloc_array(ctx, char, group_size);
+ group_buffer = talloc_array(grp, char, group_size);
continue;
}
@@ -145,6 +145,10 @@ static int groupcmp(UNUSED void *instance, REQUEST *req, UNUSED VALUE_PAIR *requ
}
}
+#ifdef HAVE_GETGRNAM_R
+ talloc_free(grp);
+#endif
+
return retval;
}
--
2.1.1

100
freeradius-man-remove-client-attribute-description.patch
View File

@ -1,100 +0,0 @@
From ca2eedaad0bc27dd6a540e61c583f0b745641a84 Mon Sep 17 00:00:00 2001
From: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
Date: Tue, 2 Dec 2014 16:39:28 +0200
Subject: [PATCH 1/2] man: Remove client attribute description
Remove attribute description from clients.conf(5) source as it is
outdated, lists just a few attributes and wasn't updated for more than a
year. Refer to clients.conf file itself, instead.
---
man/man5/clients.conf.5 | 74 +++----------------------------------------------
1 file changed, 4 insertions(+), 70 deletions(-)
diff --git a/man/man5/clients.conf.5 b/man/man5/clients.conf.5
index 9af246a..f9207d1 100644
--- a/man/man5/clients.conf.5
+++ b/man/man5/clients.conf.5
@@ -26,76 +26,10 @@ client <short-name> {
<attribute> = <value>
}
.fi
-.SH ATTRIBUTES
-The attributes that can appear in a
-.B client
-section are listed below. Required attributes are labelled as
-such. All other attributes are optional.
-.TP 0.5i
-.B ipaddr [Required]
-The IP address of the client. For IPv6, use "ipv6addr"
-.TP 0.5i
-.B secret [Required]
-The RADIUS shared secret used for communication between the client/NAS
-and the RADIUS server.
-.TP 0.5i
-.B shortname [optional]
-A short alias that can be used in place of the IP address or fully
-qualified hostname provided in the first line of the section.
-.TP 0.5i
-.B nas_type
-The nas_type attribute is used to tell the
-.BR checkrad.pl
-script which NAS-specific method it should use when checking
-simultaneous use.
-
-The following values are currently recognized:
-.nf
-cisco
-computone
-livingston
-max40xx
-multitech
-netserver
-pathras
-patton
-portslave
-tc
-usrhiper
-other
-.fi
-.TP 0.5i
-.B login
-Reserved for future use.
-.TP 0.5i
-.B password
-Reserved for future use.
-.SH EXAMPLES
-.IP
-.nf
-client localhost {
- ipaddr = 127.0.0.1
- secret = testing123
- shortname = localhost
- nas_type = other
-}
-.fi
-.LP
-This adds a client for the loopback address. This is useful in testing
-the
-server locally, for example with
-.BR radclient (1).
-.IP
-.nf
-client private-network-1 {
- ipaddr = 192.0.2.0
- netmask = 24
- secret = testing123-1
- shortname = private-network-1
-}
-.fi
-.LP
-This entry represents any client from the 192.0.2.0/24 network.
+.PP
+Clients have many configuration parameters. Most are documented in the file
+itself as comments. This page documents only the format of the file. Please
+read the \fBclients.conf\fP file itself for more information.
The old-style format from 1.x is still accepted by the server, but
that form is deprecated.
--
2.1.3

67
freeradius-man-remove-references-to-naslist-and-clients.patch
View File

@ -1,67 +0,0 @@
From 55a489a7885608158f66823686d89eb7cf54d5a9 Mon Sep 17 00:00:00 2001
From: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
Date: Tue, 2 Dec 2014 16:43:49 +0200
Subject: [PATCH 2/2] man: Remove references to naslist and clients
Remove references to non-existent naslist and clients manpages as they
are confusing.
---
man/man5/clients.conf.5 | 8 +++-----
man/man5/dictionary.5 | 1 -
man/man5/users.5 | 1 -
3 files changed, 3 insertions(+), 7 deletions(-)
diff --git a/man/man5/clients.conf.5 b/man/man5/clients.conf.5
index f9207d1..6c6b3ee 100644
--- a/man/man5/clients.conf.5
+++ b/man/man5/clients.conf.5
@@ -8,9 +8,9 @@ file contains definitions of RADIUS clients.
.PP
The information in this file overrides any information provided in
the deprecated
-.BR clients (5)
+.BR clients
and
-.BR naslist (5)
+.BR naslist
files.
.PP
The file format is the same as that used for
@@ -39,9 +39,7 @@ that form is deprecated.
.I /etc/raddb/radiusd.conf
.SH "SEE ALSO"
.BR radiusd (8),
-.BR radiusd.conf (5),
-.BR clients (5),
-.BR naslist (5)
+.BR radiusd.conf (5)
.SH AUTHOR
FreeRADIUS is authored by the FreeRADIUS team.
diff --git a/man/man5/dictionary.5 b/man/man5/dictionary.5
index 6b60602..d685081 100644
--- a/man/man5/dictionary.5
+++ b/man/man5/dictionary.5
@@ -176,7 +176,6 @@ the attribute number should be used instead.
.I /usr/share/freeradius/dictionary.*
.SH "SEE ALSO"
.BR radiusd (8),
-.BR naslist (5),
.BR RFC2865,
.BR RFC2866,
.BR RFC2868
diff --git a/man/man5/users.5 b/man/man5/users.5
index ed8f471..c9aef82 100644
--- a/man/man5/users.5
+++ b/man/man5/users.5
@@ -243,7 +243,6 @@ entries that set reply attributes.
.BR radclient (1),
.BR radiusd (8),
.BR dictionary (5),
-.BR naslist (5)
.SH AUTHOR
The FreeRADIUS team.
--
2.1.3

27
freeradius-mention-eap-md5-in-radtest-synopsis.patch
View File

@ -1,27 +0,0 @@
From b00d9a63963c4d5dec72d8c4671a72cde5c4ca69 Mon Sep 17 00:00:00 2001
From: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
Date: Mon, 27 Oct 2014 16:14:35 +0200
Subject: [PATCH 1/2] man: Mention eap-md5 in radtest synopsis
Add "eap-md5" to the possible values of -t option in radtest's manpage
SYNOPSIS to match the detailed description in the OPTIONS.
---
man/man1/radtest.1 | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/man/man1/radtest.1 b/man/man1/radtest.1
index f4fdba3..587870c 100644
--- a/man/man1/radtest.1
+++ b/man/man1/radtest.1
@@ -6,7 +6,7 @@ radtest - send packets to a RADIUS server, show reply
.RB [ \-d
.IR raddb_directory ]
.RB [ \-t
-.IR pap/chap/mschap ]
+.IR pap/chap/mschap/eap-md5 ]
.RB [ \-x
.IR ]
.RB [ \-4
--
2.1.1

168
freeradius-prefix-endian-macros.patch
View File

@ -1,168 +0,0 @@
From 4a906c702ac31da5977eba6698fa5435474cb47f Mon Sep 17 00:00:00 2001
From: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
Date: Wed, 1 Oct 2014 15:11:12 +0300
Subject: [PATCH 3/4] Prefix *_ENDIAN macros with RADIUS_
Rename LITTLE_ENDIAN and BIG_ENDIAN macros to RADIUS_LITTLE_ENDIAN and
RADIUS_BIG_ENDIAN respectively to avoid clashes with
/usr/include/endian.h defines, which result in always assuming
little-endian architecture.
---
configure | 4 ++--
configure.ac | 4 ++--
src/include/autoconf.h.in | 16 ++++++++--------
src/include/build.h | 6 +++---
src/include/missing-h | 4 ++--
src/lib/missing.c | 2 +-
src/main/version.c | 4 ++--
7 files changed, 20 insertions(+), 20 deletions(-)
diff --git a/configure b/configure
index f15072d..1b54efd 100755
--- a/configure
+++ b/configure
@@ -4771,11 +4771,11 @@ $as_echo "$ac_cv_c_bigendian" >&6; }
case $ac_cv_c_bigendian in #(
yes)
-$as_echo "#define BIG_ENDIAN 1" >>confdefs.h
+$as_echo "#define RADIUS_BIG_ENDIAN 1" >>confdefs.h
;; #(
no)
-$as_echo "#define LITTLE_ENDIAN 1" >>confdefs.h
+$as_echo "#define RADIUS_LITTLE_ENDIAN 1" >>confdefs.h
;; #(
universal)
diff --git a/configure.ac b/configure.ac
index 76466ec..30b226b 100644
--- a/configure.ac
+++ b/configure.ac
@@ -167,8 +167,8 @@ dnl # check for system bytesex
dnl # AC_DEFINES WORDS_BIGENDIAN
dnl #
AC_C_BIGENDIAN(
- [AC_DEFINE(BIG_ENDIAN, 1, [Define if your processor stores words with the most significant byte first])],
- [AC_DEFINE(LITTLE_ENDIAN, 1, [Define if your processor stores words with the least significant byte first])]
+ [AC_DEFINE(RADIUS_BIG_ENDIAN, 1, [Define if your processor stores words with the most significant byte first])],
+ [AC_DEFINE(RADIUS_LITTLE_ENDIAN, 1, [Define if your processor stores words with the least significant byte first])]
)
dnl #
diff --git a/src/include/autoconf.h.in b/src/include/autoconf.h.in
index 6e6e355..c313bca 100644
--- a/src/include/autoconf.h.in
+++ b/src/include/autoconf.h.in
@@ -3,10 +3,6 @@
/* Define if building universal (internal helper macro) */
#undef AC_APPLE_UNIVERSAL_BUILD
-/* Define if your processor stores words with the most significant byte first
- */
-#undef BIG_ENDIAN
-
/* BSD-Style get*byaddr_r */
#undef BSDSTYLE
@@ -443,10 +439,6 @@
/* compiler specific 128 bit unsigned integer */
#undef HAVE___UINT128_T
-/* Define if your processor stores words with the least significant byte first
- */
-#undef LITTLE_ENDIAN
-
/* define if you have OSFC2 authentication */
#undef OSFC2
@@ -483,6 +475,14 @@
/* Raw version string from VERSION file */
#undef RADIUSD_VERSION_STRING
+/* Define if your processor stores words with the most significant byte first
+ */
+#undef RADIUS_BIG_ENDIAN
+
+/* Define if your processor stores words with the least significant byte first
+ */
+#undef RADIUS_LITTLE_ENDIAN
+
/* Define as the return type of signal handlers (`int' or `void'). */
#undef RETSIGTYPE
diff --git a/src/include/build.h b/src/include/build.h
index 66c3087..4c1bf1a 100644
--- a/src/include/build.h
+++ b/src/include/build.h
@@ -105,13 +105,13 @@ extern "C" {
* Here at least the endianess can be set explicitly with
* -DLITTLE_ENDIAN or -DBIG_ENDIAN.
*/
-#if !defined(LITTLE_ENDIAN) && !defined(BIG_ENDIAN)
+#if !defined(RADIUS_LITTLE_ENDIAN) && !defined(RADIUS_BIG_ENDIAN)
# if defined(__LITTLE_ENDIAN__) || \
(defined(__BYTE_ORDER__) && (__BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__))
-# define LITTLE_ENDIAN 1
+# define RADIUS_LITTLE_ENDIAN 1
# elif defined(__BIG_ENDIAN__) || \
(defined(__BYTE_ORDER__) && (__BYTE_ORDER__ == __ORDER_BIG_ENDIAN__))
-# define BIG_ENDIAN 1
+# define RADIUS_BIG_ENDIAN 1
# else
# error Failed determining endianness of system
# endif
diff --git a/src/include/missing-h b/src/include/missing-h
index 3f286a4..7136172 100644
--- a/src/include/missing-h
+++ b/src/include/missing-h
@@ -424,7 +424,7 @@ typedef struct int128_t { uint8_t v[16]; } int128_t;
/* abcd efgh -> dcba hgfe -> hgfe dcba */
#ifndef HAVE_HTON_LL
-# ifdef LITTLE_ENDIAN
+# ifdef RADIUS_LITTLE_ENDIAN
# ifdef HAVE_BUILTIN_BSWAP64
# define ntohll(x) __builtin_bswap64(x)
# else
@@ -437,7 +437,7 @@ typedef struct int128_t { uint8_t v[16]; } int128_t;
#endif
#ifndef HAVE_HTON_LLL
-# ifdef LITTLE_ENDIAN
+# ifdef RADIUS_LITTLE_ENDIAN
# ifdef HAVE_128BIT_INTEGERS
# define ntohlll(x) (((uint128_t)ntohll((uint64_t)(x >> 64))) | (((uint128_t)ntohll(((uint64_t) x)) << 64)))
# else
diff --git a/src/lib/missing.c b/src/lib/missing.c
index 4598c8f..efd5461 100644
--- a/src/lib/missing.c
+++ b/src/lib/missing.c
@@ -273,7 +273,7 @@ ntp2timeval(struct timeval *tv, char const *ntp)
tv->tv_usec = usec / 4295; /* close enough */
}
-#if !defined(HAVE_128BIT_INTEGERS) && defined(LITTLE_ENDIAN)
+#if !defined(HAVE_128BIT_INTEGERS) && defined(RADIUS_LITTLE_ENDIAN)
/** Swap byte order of 128 bit integer
*
* @param num 128bit integer to swap.
diff --git a/src/main/version.c b/src/main/version.c
index 0aba383..8b56ffa 100644
--- a/src/main/version.c
+++ b/src/main/version.c
@@ -276,9 +276,9 @@ void version(void)
DEBUG3(" 0x%llx", (unsigned long long) libmagic);
DEBUG3("Endianess:");
-#if defined(LITTLE_ENDIAN)
+#if defined(RADIUS_LITTLE_ENDIAN)
DEBUG3(" little");
-#elif defined(BIG_ENDIAN)
+#elif defined(RADIUS_BIG_ENDIAN)
DEBUG3(" big");
#else
DEBUG3(" unknown");
--
2.1.0

64
freeradius-rad_counter-Refine-help-message.patch
View File

@ -1,64 +0,0 @@
From 68b1b158029501208d1c6a60aa2794d9589c2a08 Mon Sep 17 00:00:00 2001
From: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
Date: Fri, 5 Dec 2014 12:24:37 +0200
Subject: [PATCH 2/3] rad_counter: Refine help message
Refine rad_counter help message:
* use executable name without path,
* add program purpose,
* shorten usage summary line for clarity,
* separate arguments and options,
* add full stops to sentences,
* wrap a long line.
---
src/modules/rlm_counter/rad_counter | 24 +++++++++++++++---------
1 file changed, 15 insertions(+), 9 deletions(-)
diff --git a/src/modules/rlm_counter/rad_counter b/src/modules/rlm_counter/rad_counter
index b6c1159..1beef29 100755
--- a/src/modules/rlm_counter/rad_counter
+++ b/src/modules/rlm_counter/rad_counter
@@ -6,6 +6,7 @@ use warnings ;
use GDBM_File ;
use Fcntl ;
use Getopt::Long;
+use File::Basename;
my $user = '';
my $divisor = 1;
@@ -19,17 +20,22 @@ my $help = 0;
$filename = '';
sub show_help {
- print <<"EOF";
-Usage: $0 --file=<counter filename> [--reset=<seconds>] [--match=<regexp>]
-[--user=<username>] [--help] [--hours|--minutes|--seconds]
+ my $progname = basename($0);
+ print <<EOF;
+Usage: $progname --file=<counter filename> [OPTION...]
+Query and maintain FreeRADIUS rlm_counter DB file.
---user=<username> Information for specific user
---file=<filename> Counter db filename
---match=<regexp> Information for matching users
+Arguments:
+--file=<filename> Counter DB filename.
+
+Options:
+--user=<username> Information for specific user.
+--match=<regexp> Information for matching users.
--reset=<number> Reset counter to <number>.
- If divisor is set use it, else <number> means seconds
---help Show this help screen
---(hours|minutes|seconds) Specify information divisor
+ If divisor is set use it,
+ else <number> means seconds.
+--help Show this help screen.
+--(hours|minutes|seconds) Specify information divisor.
EOF
exit 0;
}
--
2.1.3

47
freeradius-rad_counter-use-heredoc-for-help-message.patch
View File

@ -1,47 +0,0 @@
From 70686e8d2b400a804277ba0cdc664e71dd393dd5 Mon Sep 17 00:00:00 2001
From: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
Date: Fri, 5 Dec 2014 12:12:19 +0200
Subject: [PATCH 1/3] rad_counter: Use heredoc for help message
Use Perl's here document syntax for rad_counter's help message and
replace tab escape sequences with spaces to make the source more
readable and easier to modify.
---
src/modules/rlm_counter/rad_counter | 21 ++++++++++++---------
1 file changed, 12 insertions(+), 9 deletions(-)
diff --git a/src/modules/rlm_counter/rad_counter b/src/modules/rlm_counter/rad_counter
index be0a33a..b6c1159 100755
--- a/src/modules/rlm_counter/rad_counter
+++ b/src/modules/rlm_counter/rad_counter
@@ -19,15 +19,18 @@ my $help = 0;
$filename = '';
sub show_help {
- print "Usage: $0 --file=<counter filename> [--reset=<seconds>] [--match=<regexp>]\n";
- print "[--user=<username>] [--help] [--hours|--minutes|--seconds]\n\n";
- print "--user=<username>", "\t\t", "Information for specific user\n";
- print "--file=<filename>", "\t\t", "Counter db filename\n";
- print "--match=<regexp>", "\t\t", "Information for matching users\n";
- print "--reset=<number>", "\t\t", "Reset counter to <number>.\n";
- print "\t\t\t\t", "If divisor is set use it, else <number> means seconds\n";
- print "--help", "\t\t\t\t", "Show this help screen\n";
- print "--(hours|minutes|seconds)", "\t", "Specify information divisor\n";
+ print <<"EOF";
+Usage: $0 --file=<counter filename> [--reset=<seconds>] [--match=<regexp>]
+[--user=<username>] [--help] [--hours|--minutes|--seconds]
+
+--user=<username> Information for specific user
+--file=<filename> Counter db filename
+--match=<regexp> Information for matching users
+--reset=<number> Reset counter to <number>.
+ If divisor is set use it, else <number> means seconds
+--help Show this help screen
+--(hours|minutes|seconds) Specify information divisor
+EOF
exit 0;
}
--
2.1.3

49
freeradius-raddb-Comment-on-ipaddr-ipv4addr-ipv6addr-use.patch
View File

@ -1,49 +0,0 @@
From 40537a80edeba25853df745e969f1b0bd5bc71bf Mon Sep 17 00:00:00 2001
From: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
Date: Thu, 18 Dec 2014 16:13:58 +0200
Subject: [PATCH 1/1] raddb: Comment on ipaddr/ipv4addr/ipv6addr use
Describe combined ipaddr/ipv4addr/ipv6addr use in
raddb/sites-available/default.
---
raddb/sites-available/default | 21 +++++++++++++--------
1 file changed, 13 insertions(+), 8 deletions(-)
diff --git a/raddb/sites-available/default b/raddb/sites-available/default
index 77c271c..77602e4 100644
--- a/raddb/sites-available/default
+++ b/raddb/sites-available/default
@@ -84,17 +84,22 @@ listen {
# source IP address for packets sent to a home server, the
# proxy listeners are automatically created.
- # IP address on which to listen.
+ # ipaddr/ipv4addr/ipv6addr - IP address on which to listen.
+ # Out of several options the first one will be used.
+ #
# Allowed values are:
- # dotted quad (1.2.3.4)
- # hostname (radius.example.com)
- # wildcard (*)
+ # IPv4 address (e.g. 1.2.3.4, for ipv4addr/ipaddr)
+ # IPv6 address (e.g. 2001:db8::1, for ipv6addr/ipaddr)
+ # hostname (radius.example.com,
+ # A record for ipv4addr,
+ # AAAA record for ipv6addr,
+ # A or AAAA record for ipaddr)
+ # wildcard (*)
+ #
+ # ipv4addr = *
+ # ipv6addr = *
ipaddr = *
- # OR, you can use an IPv6 address, but not both
- # at the same time.
-# ipv6addr = :: # any. ::1 == localhost
-
# Port on which to listen.
# Allowed values are:
# integer port number (1812)
--
2.1.3

62
freeradius-raddb-Move-trigger.conf-INCLUDE-before-modules.patch
View File

@ -1,62 +0,0 @@
From 1b32a0e398871f0f5b7b41d200b1b9db371e84d5 Mon Sep 17 00:00:00 2001
From: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
Date: Mon, 15 Dec 2014 16:48:26 +0200
Subject: [PATCH 1/1] raddb: Move trigger.conf INCLUDE before modules
Move "$INCLUDE trigger.conf" chunk before module section in
"radiusd.conf.in". This makes it possible to reference "snmptrap" and
related trigger variables under "pool.trigger" in module configurations,
simplifying them.
E.g. like this (in raddb/mods-enabled/ldap):
ldap ldap_instance {
pool {
trigger {
args = "radiusdModuleName s '${...:name}' radiusdModuleInstance s '${...:instance}'"
open = "${snmptrap}::serverModuleConnectionUp ${args}"
close = "${snmptrap}::serverModuleConnectionDown ${args}"
}
}
}
---
raddb/radiusd.conf.in | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/raddb/radiusd.conf.in b/raddb/radiusd.conf.in
index c6d5834..fb7d1bd 100644
--- a/raddb/radiusd.conf.in
+++ b/raddb/radiusd.conf.in
@@ -648,6 +648,14 @@ thread pool {
auto_limit_acct = no
}
+######################################################################
+#
+# SNMP notifications. Uncomment the following line to enable
+# snmptraps. Note that you MUST also configure the full path
+# to the "snmptrap" command in the "trigger.conf" file.
+#
+#$INCLUDE trigger.conf
+
# MODULE CONFIGURATION
#
# The names and configuration of each module is located in this section.
@@ -780,14 +788,6 @@ policy {
######################################################################
#
-# SNMP notifications. Uncomment the following line to enable
-# snmptraps. Note that you MUST also configure the full path
-# to the "snmptrap" command in the "trigger.conf" file.
-#
-#$INCLUDE trigger.conf
-
-######################################################################
-#
# Load virtual servers.
#
# This next $INCLUDE line loads files in the directory that
--
2.1.3

30
freeradius-raddb-remove-extra-apostrophe-from-trigger.conf.patch
View File

@ -1,30 +0,0 @@
From e37dbd2dd0f20ff255ddc934296afa67e59695c6 Mon Sep 17 00:00:00 2001
From: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
Date: Thu, 16 Oct 2014 13:48:32 +0300
Subject: [PATCH 2/4] raddb: Remove extra apostrophe from trigger.conf
Remove a spurious apostrophe from trigger.conf's trigger.modules.args.
This fixes module triggers, otherwise producing this error:
rad_expand_xlat: Invalid string passed as argument
---
raddb/trigger.conf | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/raddb/trigger.conf b/raddb/trigger.conf
index aa846c3..b80089c 100644
--- a/raddb/trigger.conf
+++ b/raddb/trigger.conf
@@ -194,7 +194,7 @@ trigger {
# "trigger" subsection in the module configuration.
modules {
# Common arguments
- args = "radiusdModuleName s ldap' radiusdModuleInstance s ''"
+ args = "radiusdModuleName s ldap radiusdModuleInstance s ''"
# The files module
files {
--
2.1.1

70
freeradius-raddb-update-triggers-in-trigger.conf.patch
View File

@ -1,70 +0,0 @@
From 7162088ec80add0e83d1073b67001546be3d0d8d Mon Sep 17 00:00:00 2001
From: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
Date: Thu, 23 Oct 2014 13:56:46 +0300
Subject: [PATCH 1/1] raddb: Update triggers in trigger.conf
Update trigger.conf's available triggers and comments to correspond to
actual code.
---
raddb/trigger.conf | 23 ++++++++++++-----------
1 file changed, 12 insertions(+), 11 deletions(-)
diff --git a/raddb/trigger.conf b/raddb/trigger.conf
index 44f9f36..413a182 100644
--- a/raddb/trigger.conf
+++ b/raddb/trigger.conf
@@ -222,11 +222,8 @@ trigger {
# A connection to the DB has been closed
close = "${snmptrap}::serverModuleConnectionDown ${args}"
- # Failed to open a new connection to the DB
- fail = "${snmptrap}::serverModuleConnectionFail ${args}"
-
- # There are no DB handles available.
- none = "${snmptrap}::serverModuleConnectionNone ${args}"
+ # The module has been HUP'd via radmin
+ hup = "${snmptrap}::serverModuleHup ${args}"
}
# The SQL module
@@ -243,12 +240,13 @@ trigger {
# Failed to open a new connection to the DB
fail = "${snmptrap}::serverModuleConnectionFail ${args}"
- # There are no DB handles available.
- none = "${snmptrap}::serverModuleConnectionNone ${args}"
+ # The module has been HUP'd via radmin
+ hup = "${snmptrap}::serverModuleHup ${args}"
}
- # You can use the same opn / close / fail / none triggers for
- # any module which uses the "pool" directive.
+ # You can also use connection pool's start/stop/open/close triggers
+ # for any module which uses the "pool" section, here and under
+ # pool.trigger in module configuration.
}
}
@@ -267,10 +265,9 @@ trigger {
# home_server_pool.fallback
# home_server_pool.normal
# modules.*.hup
-# modules.ldap.fail
+# modules.ldap.timeout
# modules.sql.close
# modules.sql.fail
-# modules.sql.none
# modules.sql.open
# server.client.add
# server.max_requests
@@ -278,3 +275,7 @@ trigger {
# server.signal.term
# server.start
# server.stop
+# server.thread.max_threads
+# server.thread.start
+# server.thread.stop
+# server.thread.unresponsive
--
2.1.1

83
freeradius-raddb-use-appropriate-module-names-in-traps.patch
View File

@ -1,83 +0,0 @@
From 039f85dfe9a09478c9581b87113e73e2205abd53 Mon Sep 17 00:00:00 2001
From: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
Date: Thu, 16 Oct 2014 13:59:51 +0300
Subject: [PATCH 3/4] raddb: Use appropriate module names in traps
Specify appropriate module names for all module traps in trigger.conf,
instead of using "ldap" for all.
---
raddb/trigger.conf | 29 +++++++++++++++++++----------
1 file changed, 19 insertions(+), 10 deletions(-)
diff --git a/raddb/trigger.conf b/raddb/trigger.conf
index b80089c..44f9f36 100644
--- a/raddb/trigger.conf
+++ b/raddb/trigger.conf
@@ -194,12 +194,15 @@ trigger {
# "trigger" subsection in the module configuration.
modules {
# Common arguments
- args = "radiusdModuleName s ldap radiusdModuleInstance s ''"
+ args = "radiusdModuleInstance s ''"
# The files module
files {
+ # Common arguments
+ args = "radiusdModuleName s files ${..args}"
+
# The module has been HUP'd via radmin
- hup = "${snmptrap}::serverModuleHup ${..args}"
+ hup = "${snmptrap}::serverModuleHup ${args}"
# Note that "hup" can be used for every module
# which can be HUP'd via radmin
@@ -210,32 +213,38 @@ trigger {
# an LDAP connection ofr every "bind as user". Be aware that
# this will likely produce a lot of triggers.
ldap {
+ # Common arguments
+ args = "radiusdModuleName s ldap ${..args}"
+
# A new connection to the DB has been opened
- open = "${snmptrap}::serverModuleConnectionUp ${..args}"
+ open = "${snmptrap}::serverModuleConnectionUp ${args}"
# A connection to the DB has been closed
- close = "${snmptrap}::serverModuleConnectionDown ${..args}"
+ close = "${snmptrap}::serverModuleConnectionDown ${args}"
# Failed to open a new connection to the DB
- fail = "${snmptrap}::serverModuleConnectionFail ${..args}"
+ fail = "${snmptrap}::serverModuleConnectionFail ${args}"
# There are no DB handles available.
- none = "${snmptrap}::serverModuleConnectionNone ${..args}"
+ none = "${snmptrap}::serverModuleConnectionNone ${args}"
}
# The SQL module
sql {
+ # Common arguments
+ args = "radiusdModuleName s sql ${..args}"
+
# A new connection to the DB has been opened
- open = "${snmptrap}::serverModuleConnectionUp ${..args}"
+ open = "${snmptrap}::serverModuleConnectionUp ${args}"
# A connection to the DB has been closed
- close = "${snmptrap}::serverModuleConnectionDown ${..args}"
+ close = "${snmptrap}::serverModuleConnectionDown ${args}"
# Failed to open a new connection to the DB
- fail = "${snmptrap}::serverModuleConnectionFail ${..args}"
+ fail = "${snmptrap}::serverModuleConnectionFail ${args}"
# There are no DB handles available.
- none = "${snmptrap}::serverModuleConnectionNone ${..args}"
+ none = "${snmptrap}::serverModuleConnectionNone ${args}"
}
# You can use the same opn / close / fail / none triggers for
--
2.1.1

48
freeradius-talloc-dummy-request.patch
View File

@ -1,48 +0,0 @@
From 03c5915208234255484ece4c233c9e252776e3a3 Mon Sep 17 00:00:00 2001
From: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
Date: Mon, 29 Sep 2014 17:40:10 +0300
Subject: [PATCH 1/1] process: Talloc home_trigger dummy request
Allocate the dummy request in home_trigger with talloc, instead of
allocating it on the stack, as the rest of the code expects it to be a
valid talloc context.
This fixes a talloc_abort resulting from xlat_tokenize_request invoking
talloc_typed_strdup with the dummy request as the talloc context.
---
src/main/process.c | 17 +++++++++--------
1 file changed, 9 insertions(+), 8 deletions(-)
diff --git a/src/main/process.c b/src/main/process.c
index 76ce4ea..7e1a51e 100644
--- a/src/main/process.c
+++ b/src/main/process.c
@@ -3212,16 +3212,17 @@ static void ping_home_server(void *ctx)
static void home_trigger(home_server_t *home, char const *trigger)
{
- REQUEST my_request;
- RADIUS_PACKET my_packet;
+ REQUEST *my_request;
+ RADIUS_PACKET *my_packet;
- memset(&my_request, 0, sizeof(my_request));
- memset(&my_packet, 0, sizeof(my_packet));
- my_request.proxy = &my_packet;
- my_packet.dst_ipaddr = home->ipaddr;
- my_packet.src_ipaddr = home->src_ipaddr;
+ my_request = talloc_zero(NULL, REQUEST);
+ my_packet = talloc_zero(my_request, RADIUS_PACKET);
+ my_request->proxy = my_packet;
+ my_packet->dst_ipaddr = home->ipaddr;
+ my_packet->src_ipaddr = home->src_ipaddr;
- exec_trigger(&my_request, home->cs, trigger, false);
+ exec_trigger(my_request, home->cs, trigger, false);
+ talloc_free(my_request);
}
static void mark_home_server_zombie(home_server_t *home, struct timeval *now, struct timeval *response_window)
--
2.1.0

40
freeradius-valuepair-don-t-remove-unkown-backslash.patch
View File

@ -1,40 +0,0 @@
From 90b5b46341dbba78d8cd98d55d1b9321544c7887 Mon Sep 17 00:00:00 2001
From: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
Date: Mon, 15 Dec 2014 14:42:56 +0200
Subject: [PATCH 1/1] valuepair: Don't remove unknown backslash
Don't remove backslash from unknown escape sequences in pairparsevalue,
adhering to behavior common to most other programs dealing with
backslash escape sequences.
---
src/lib/valuepair.c | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-)
diff --git a/src/lib/valuepair.c b/src/lib/valuepair.c
index 7d6ee88..7742b81 100644
--- a/src/lib/valuepair.c
+++ b/src/lib/valuepair.c
@@ -1176,12 +1176,14 @@ int pairparsevalue(VALUE_PAIR *vp, char const *value, size_t inlen)
c = x;
cp += 3;
- } else if (cp[0]) {
- /*
- * \p --> p
- */
- c = *cp++;
- } /* else at EOL \ --> \ */
+ }
+
+ /*
+ * Else It's not a recognised escape sequence DON'T
+ * consume the backslash. This is identical
+ * behaviour to bash and most other things that
+ * use backslash escaping.
+ */
}
*p++ = c;
vp_len++;
--
2.1.3

75
freeradius.spec
View File

@ -1,7 +1,7 @@
Summary: High-performance and highly configurable free RADIUS server Summary: High-performance and highly configurable free RADIUS server
Name: freeradius Name: freeradius
Version: 3.0.4 Version: 3.0.7
Release: 4%{?dist} Release: 1%{?dist}
License: GPLv2+ and LGPLv2+ License: GPLv2+ and LGPLv2+
Group: System Environment/Daemons Group: System Environment/Daemons
URL: http://www.freeradius.org/ URL: http://www.freeradius.org/
@ -23,36 +23,6 @@ Source104: freeradius-tmpfiles.conf
Patch1: freeradius-redhat-config.patch Patch1: freeradius-redhat-config.patch
Patch2: freeradius-postgres-sql.patch Patch2: freeradius-postgres-sql.patch
Patch3: freeradius-add-disable-openssl-version-check.patch
Patch4: freeradius-talloc-dummy-request.patch
Patch5: freeradius-dont-detach-after-perl_parse.patch
Patch6: freeradius-access-union-consistently.patch
Patch7: freeradius-dont-truncate-uint64.patch
Patch8: freeradius-prefix-endian-macros.patch
Patch9: freeradius-dont-swap-uint128-printing-on-be.patch
Patch10: freeradius-fix-dhcp-dictionary-loading.patch
Patch11: freeradius-mention-eap-md5-in-radtest-synopsis.patch
Patch12: freeradius-add-P-option-to-radtest-synopsis.patch
Patch13: freeradius-exec-dont-assume-request-presence-when-logging.patch
Patch14: freeradius-raddb-remove-extra-apostrophe-from-trigger.conf.patch
Patch15: freeradius-raddb-use-appropriate-module-names-in-traps.patch
Patch16: freeradius-connection-fall-through-to-global-module-triggers.patch
Patch17: freeradius-ignore-SIGTERM-when-firing-stop-and-signal.term.patch
Patch18: freeradius-raddb-update-triggers-in-trigger.conf.patch
Patch19: freeradius-make-grp-tallo-c-too.patch
Patch20: freeradius-fix-checks-for-PW_TYPE_FILE_INPUT.patch
Patch21: freeradius-added-D-option-to-mirror-radclient.patch
Patch22: freeradius-man-remove-client-attribute-description.patch
Patch23: freeradius-man-remove-references-to-naslist-and-clients.patch
Patch24: freeradius-valuepair-don-t-remove-unkown-backslash.patch
Patch25: freeradius-rad_counter-use-heredoc-for-help-message.patch
Patch26: freeradius-rad_counter-Refine-help-message.patch
Patch27: freeradius-dhcpclient-Add-a-short-description-to-help-output.patch
Patch28: freeradius-raddb-Move-trigger.conf-INCLUDE-before-modules.patch
Patch29: freeradius-Resolve-to-all-families-on-ip_hton-fallback.patch
Patch30: freeradius-Don-t-overwrite-ip_hton-af-prefix-in-fr_pton4-6.patch
Patch31: freeradius-raddb-Comment-on-ipaddr-ipv4addr-ipv6addr-use.patch
Patch32: freeradius-Fix-OpenSSL-version-check-issues.patch
%global docdir %{?_pkgdocdir}%{!?_pkgdocdir:%{_docdir}/%{name}-%{version}} %global docdir %{?_pkgdocdir}%{!?_pkgdocdir:%{_docdir}/%{name}-%{version}}
@ -211,35 +181,6 @@ This plugin provides the unixODBC support for the FreeRADIUS server project.
# mistakenly includes the backup files, especially problematic for raddb config files. # mistakenly includes the backup files, especially problematic for raddb config files.
%patch1 -p1 %patch1 -p1
%patch2 -p1 %patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
%patch9 -p1
%patch10 -p1
%patch11 -p1
%patch12 -p1
%patch13 -p1
%patch14 -p1
%patch15 -p1
%patch16 -p1
%patch17 -p1
%patch18 -p1
%patch19 -p1
%patch20 -p1
%patch21 -p1
%patch22 -p1
%patch23 -p1
%patch24 -p1
%patch25 -p1
%patch26 -p1
%patch27 -p1
%patch28 -p1
%patch29 -p1
%patch30 -p1
%patch31 -p1
%build %build
# Force compile/link options, extra security for network facing daemon # Force compile/link options, extra security for network facing daemon
@ -316,6 +257,11 @@ rm -rf $RPM_BUILD_ROOT/etc/raddb/mods-config/sql/main/oracle
rm $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/mods-available/unbound rm $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/mods-available/unbound
rm $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/mods-config/unbound/default.conf rm $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/mods-config/unbound/default.conf
rm $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/mods-available/couchbase rm $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/mods-available/couchbase
rm $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/mods-available/abfab*
rm $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/policy.d/abfab*
rm $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/sites-available/abfab*
rm $RPM_BUILD_ROOT/%{_libdir}/freeradius/rlm_test.so
# remove unsupported config files # remove unsupported config files
rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/experimental.conf rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/experimental.conf
@ -418,6 +364,7 @@ exit 0
# certs # certs
%dir %attr(770,root,radiusd) /etc/raddb/certs %dir %attr(770,root,radiusd) /etc/raddb/certs
%config(noreplace) /etc/raddb/certs/Makefile %config(noreplace) /etc/raddb/certs/Makefile
%config(noreplace) /etc/raddb/certs/passwords.mk
/etc/raddb/certs/README /etc/raddb/certs/README
%config(noreplace) /etc/raddb/certs/xpextensions %config(noreplace) /etc/raddb/certs/xpextensions
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/certs/*.cnf %attr(640,root,radiusd) %config(noreplace) /etc/raddb/certs/*.cnf
@ -606,6 +553,7 @@ exit 0
%{_libdir}/freeradius/rlm_always.so %{_libdir}/freeradius/rlm_always.so
%{_libdir}/freeradius/rlm_attr_filter.so %{_libdir}/freeradius/rlm_attr_filter.so
%{_libdir}/freeradius/rlm_cache.so %{_libdir}/freeradius/rlm_cache.so
%{_libdir}/freeradius/rlm_cache_rbtree.so
%{_libdir}/freeradius/rlm_chap.so %{_libdir}/freeradius/rlm_chap.so
%{_libdir}/freeradius/rlm_counter.so %{_libdir}/freeradius/rlm_counter.so
%{_libdir}/freeradius/rlm_cram.so %{_libdir}/freeradius/rlm_cram.so
@ -824,6 +772,11 @@ exit 0
%{_libdir}/freeradius/rlm_sql_unixodbc.so %{_libdir}/freeradius/rlm_sql_unixodbc.so
%changelog %changelog
* Thu Mar 19 2015 Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com> - 3.0.7-1
- Upgrade to upstream v3.0.7 release.
See upstream ChangeLog for details (in freeradius-doc subpackage).
Resolves: Bug#1133959
* Fri Feb 13 2015 Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com> - 3.0.4-4 * Fri Feb 13 2015 Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com> - 3.0.4-4
- Bump release number to catch up with Fedora 21. - Bump release number to catch up with Fedora 21.

2
sources
View File

@ -1 +1 @@
5457f10d006767e77541b87049f0a7d2 freeradius-server-3.0.4.tar.bz2 50db3dec6341c3b644cc651263a0971e freeradius-server-3.0.7.tar.bz2