rpms
/
freeradius
7
0
Fork 0
Code Issues Pull Requests Releases Activity

re-import sources as agreed with the maintainer

This commit is contained in:
Adam Samalik 2023-07-10 13:02:29 +02:00
parent dd475a62c3
commit a7b5fbfaff
24 changed files with 982 additions and 11922 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
.gitignore vendored
View File

@ -1,2 +1,33 @@
SOURCES/freeradius-server-3.0.20.tar.bz2
# Ignore build artifacts and signatures
*.sig
.build*.log
freeradius-server-*/
x86_64/
freeradius-*.src.rpm
# Automatically added
/freeradius-server-2.1.9.tar.bz2
/freeradius-server-2.1.10.tar.bz2
/freeradius-server-2.1.11.tar.bz2
/freeradius-server-2.1.12.tar.bz2
/freeradius-server-2.2.0.tar.bz2
/freeradius-server-release_3_0_0_rc0.tar.gz
/freeradius-server-release_3_0_0_rc1.tar.gz
/freeradius-server-3.0.0.tar.bz2
/freeradius-server-3.0.1.tar.bz2
/freeradius-server-3.0.2.tar.bz2
/freeradius-server-3.0.3.tar.bz2
/freeradius-server-3.0.4rc2.tar.bz2
/freeradius-server-3.0.4.tar.bz2
/freeradius-server-3.0.7.tar.bz2
/freeradius-server-3.0.8.tar.bz2
/freeradius-server-3.0.9.tar.bz2
/freeradius-server-3.0.10.tar.bz2
/freeradius-server-3.0.11.tar.bz2
/freeradius-server-3.0.12.tar.bz2
/freeradius-server-3.0.13.tar.bz2
/freeradius-server-3.0.14.tar.bz2
/freeradius-server-3.0.15.tar.bz2
/release_3_0_17.tar.gz
/freeradius-server-3.0.17.tar.bz2
/freeradius-server-3.0.20.tar.bz2

385
find_module_deps Normal file
View File

@ -0,0 +1,385 @@
#!/usr/bin/env python
import exceptions
import getopt
import os
import re
import rpm
import select
import subprocess
import sys
#------------------------------------------------------------------------------
def get_rlms(root):
rlm_re = re.compile(r'^rlm_')
version_re = re.compile(r'-[0-9.]+\.so$')
names = os.listdir(root)
names = [x for x in names if rlm_re.search(x)]
names = [x for x in names if not version_re.search(x)]
names.sort()
return names
#------------------------------------------------------------------------------
debug = False
verbose = False
exclude_rpms = ['glibc']
build = '2.0.2-1.fc8'
root_template = '/var/tmp/freeradius-%s-root-jdennis/usr/lib/freeradius'
libdirs = ['/lib','/usr/lib']
#------------------------------------------------------------------------------
def get_rpm_nvr_from_header(hdr):
'Given an RPM header return the package NVR as a string'
name = hdr['name']
version = hdr['version']
release = hdr['release']
return "%s-%s-%s" % (name, version, release)
def get_rpm_hdr_by_file_path(path):
if path is None:
return None
hdr = None
try:
ts = rpm.ts()
mi = ts.dbMatch(rpm.RPMTAG_BASENAMES, path)
for hdr in mi: break
except Exception, e:
print >> sys.stderr, "failed to retrieve rpm hdr for %s, %s" %(path, e)
hdr = None
return hdr
def get_rpm_nvr_by_file_path(path):
if path is None:
return None
hdr = get_rpm_hdr_by_file_path(path)
if not hdr:
print >> sys.stderr, "failed to retrieve rpm info for %s" %(path)
nvr = get_rpm_nvr_from_header(hdr)
return nvr
def get_rpm_name_by_file_path(path):
if path is None:
return None
hdr = get_rpm_hdr_by_file_path(path)
if not hdr:
print >> sys.stderr, "failed to retrieve rpm info for %s" %(path)
name = hdr['name']
return name
#------------------------------------------------------------------------------
class CmdError(exceptions.Exception):
def __init__(self, errno, msg):
self.errno = errno
self.msg = msg
class Command:
def __init__(self, cmd):
self.cmd = cmd
self.sub_process = None
self.bufsize = 1024
self.stdout_buf = ''
self.stderr_buf = ''
self.stdout_lines = []
self.stderr_lines = []
def run(self, stdout_callback=None, stderr_callback=None):
self.sub_process = subprocess.Popen(self.cmd, \
stdin=None, stdout=subprocess.PIPE, stderr=subprocess.PIPE, \
close_fds=True, shell=True)
self.stdout = self.sub_process.stdout
self.stderr = self.sub_process.stderr
read_watch = [self.stdout, self.stderr]
while read_watch:
readable = select.select(read_watch, [], [])[0]
for fd in readable:
if fd == self.stdout:
data = os.read(fd.fileno(), self.bufsize)
if not data:
read_watch.remove(fd)
else:
self.stdout_buf += data
for line in self.burst_lines('stdout_buf'):
if stdout_callback: stdout_callback(line)
self.stdout_lines.append(line)
if fd == self.stderr:
data = os.read(fd.fileno(), self.bufsize)
if not data:
read_watch.remove(fd)
else:
self.stderr_buf += data
for line in self.burst_lines('stderr_buf'):
if stdout_callback: stderr_callback(line)
self.stderr_lines.append(line)
self.returncode = self.sub_process.wait()
if self.returncode:
raise CmdError(self.returncode, "cmd \"%s\"\nreturned status %d\n%s" % (self.cmd, self.returncode, ''.join(self.stderr_lines)))
return self.returncode
def burst_lines(self, what):
buf = getattr(self, what)
start = 0
end = buf.find('\n', start)
while end >= 0:
end += 1 # include newline
line = buf[start:end]
yield line
start = end
end = buf.find('\n', start)
buf = buf[start:]
setattr(self, what, buf)
#------------------------------------------------------------------------------
def get_so_requires(path):
requires = {}
cmd = 'ldd %s' % (path)
so_re = re.compile(r'^\s*(\S+)\s+=>\s+(\S+)')
c = Command(cmd)
status = c.run()
for line in c.stdout_lines:
line = line.strip()
match = so_re.search(line)
if match:
so_name = match.group(1)
if match.group(2).startswith('/'):
so_path = match.group(2)
else:
so_path = None
requires[so_name] = so_path
return requires
def get_so_needed(path):
needed = []
cmd = 'readelf -d %s' % (path)
so_re = re.compile(r'\(NEEDED\)\s+Shared library:\s+\[([^\]]+)\]')
c = Command(cmd)
status = c.run()
for line in c.stdout_lines:
line = line.strip()
match = so_re.search(line)
if match:
so_name = match.group(1)
needed.append(so_name)
return needed
def format_size(size):
if size > 1000000000:
return '%.1f GB' % (size/1000000000.0)
if size > 1000000:
return '%.1f MB' % (size/1000000.0)
if size > 1000:
return '%.1f KB' % (size/1000.0)
return '%d' % (size)
#------------------------------------------------------------------------------
class RPM_Prop:
def __init__(self, path=None, name=None):
self.name = name
self.paths = {}
self.rpm_hdr = None
self.used_by = {}
if path:
self.register_path(path)
if not self.rpm_hdr:
self.rpm_hdr = get_rpm_hdr_by_file_path(path)
if self.rpm_hdr:
if not self.name:
self.name = self.rpm_hdr[rpm.RPMTAG_NAME]
self.size = self.rpm_hdr[rpm.RPMTAG_SIZE]
def __str__(self):
return "name=%s paths=%s" % (self.name, ','.join(self.paths.keys()))
def register_path(self, path, name=None):
if debug: print "%s.register_path: path=%s" % (self.__class__.__name__, path)
return self.paths.setdefault(path, path)
class RPM_Collection:
def __init__(self):
self.names = {}
self.paths = {}
def __str__(self):
text = ''
names = self.get_names()
for name in names:
text += "%s: %s\n" % (name, self.names[name])
return text
def register_path(self, path):
if debug: print "%s.register_path: path=%s" % (self.__class__.__name__, path)
rpm_prop = self.paths.get(path)
if not rpm_prop:
rpm_prop = self.paths.setdefault(path, RPM_Prop(path=path))
self.names.setdefault(rpm_prop.name, rpm_prop)
return rpm_prop
def get_names(self):
names = self.names.keys()
names.sort()
return names
def get_name(self, name):
return self.names.get(name)
class SO_File:
def __init__(self, name=None, path=None):
self.name = name
self.path = path
self.rpm = None
def __str__(self):
if self.rpm:
rpm_name = self.rpm.name
else:
rpm_name = None
return "name=%s rpm=%s" % (self.name, rpm_name)
class SO_Collection:
def __init__(self):
self.names = {}
self.paths = {}
def __str__(self):
text = ''
names = self.get_names()
for name in names:
text += "%s: %s\n" % (name, self.names[name])
return text
def register_path(self, path, name=None):
if debug: print "%s.register_path: path=%s" % (self.__class__.__name__, path)
so_prop = self.paths.get(path)
if not so_prop:
so_prop = self.paths.setdefault(path, SO_File(name, path=path))
self.names.setdefault(name, so_prop)
return so_prop
def get_names(self):
names = self.names.keys()
names.sort()
return names
class LoadableModule:
def __init__(self, path, name=None):
if name is None:
name = os.path.basename(path)
self.name = name
self.path = path
self.rpm_names = {}
self.sos = SO_Collection()
self.get_so_requires()
def __str__(self):
text = '%s\n' % (self.name)
text += " RPM's: %s\n" % (','.join(self.get_rpm_names()))
text += " SO's: %s\n" % (','.join(self.sos.get_names()))
return text
def get_so_requires(self):
requires = get_so_requires(self.path)
needed = get_so_needed(self.path)
#print "%s requires=%s" % (self.name, requires)
#print "%s needed=%s" % (self.name, needed)
for so_name, so_path in requires.items():
if so_name not in needed: continue
if so_path:
so_prop = self.sos.register_path(so_path, so_name)
rpm_prop = rpms.register_path(so_prop.path)
rpm_prop.used_by[self.name] = 1
self.rpm_names.setdefault(rpm_prop.name, rpm_prop.name)
so_prop.rpm = rpm_prop
else:
so_prop = None
if verbose: print "found so='%s' %s" % (so_name, so_prop)
def register_so(self, so):
if debug: print "%s.register_so: so=%s" % (self.__class__.__name__, so)
self.sos.setdefault(so, so)
self.names.setdefault(so.name, so)
return so
def get_rpm_names(self):
rpm_names = self.rpm_names.keys()
rpm_names.sort()
return rpm_names
def get_sos(self):
sos = self.sos.keys()
sos.sort(lambda a,b: cmp(a.name, b.name))
return sos
#------------------------------------------------------------------------------
#------------------------------------------------------------------------------
opts, args = getopt.getopt(sys.argv[1:], "b:v", ['build=','verbose'])
for o, a in opts:
if o in ['-b', '--build']:
build = a
elif o in ['-v', '--verbose']:
verbose = True
else:
print >> sys.stderr, "Unknown arg: %s" % o
sys.exit(1)
root = root_template % build
modules = get_rlms(root)
module_paths = [os.path.join(root,x) for x in modules]
rpms = RPM_Collection()
lms = []
for module_path in module_paths[:]:
lm = LoadableModule(module_path)
lms.append(lm)
print "RLM Modules(%s): %s\n" % (len(modules), ','.join(modules))
for lm in lms:
rpm_names = [x for x in lm.get_rpm_names() if x not in exclude_rpms]
if rpm_names:
print lm.name
print ' %s' % (','.join(rpm_names))
print "--------------"
rpm_props = [x for x in rpms.names.values() if len(x.used_by) and x.name not in exclude_rpms]
rpm_props.sort(lambda a,b: cmp(a.name, b.name))
for rpm_prop in rpm_props:
used_by = rpm_prop.used_by.keys()
used_by.sort()
print "%s: %s" % (rpm_prop.name, ','.join(used_by))
print "--------------"
rpm_props.sort(lambda a,b: cmp(a.size, b.size))
for rpm_prop in rpm_props:
print '%10s %s' % (format_size(rpm_prop.size), rpm_prop.name)
print "--------------"
for lm in lms:
print lm

97
freeradius-Add-missing-option-descriptions.patch Normal file
View File

@ -0,0 +1,97 @@
From afb196b29606aafb5030e8c7ea414a4bd494cbc0 Mon Sep 17 00:00:00 2001
From: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
Date: Fri, 14 Sep 2018 12:20:11 +0300
Subject: [PATCH] man: Add missing option descriptions
---
man/man8/raddebug.8 | 4 ++++
man/man8/radiusd.8 | 7 +++++++
man/man8/radmin.8 | 4 ++++
3 files changed, 15 insertions(+)
diff --git a/man/man8/raddebug.8 b/man/man8/raddebug.8
index 66e80e64fa..6e27e2453c 100644
--- a/man/man8/raddebug.8
+++ b/man/man8/raddebug.8
@@ -7,6 +7,8 @@ raddebug - Display debugging output from a running server.
.IR condition ]
.RB [ \-d
.IR config_directory ]
+.RB [ \-D
+.IR dictionary_directory ]
.RB [ \-n
.IR name ]
.RB [ \-i
@@ -73,6 +75,8 @@ option is equivalent to using:
.IP "\-d \fIconfig directory\fP"
The radius configuration directory, usually /etc/raddb. See the
\fIradmin\fP manual page for more description of this option.
+.IP "\-D \fIdictionary directory\fP"
+Set main dictionary directory. Defaults to \fI/usr/share/freeradius\fP.
.IP "\-n \fImname\fP"
Read \fIraddb/name.conf\fP instead of \fIraddb/radiusd.conf\fP.
.IP \-I\ \fIipv6-address\fP
diff --git a/man/man8/radiusd.8 b/man/man8/radiusd.8
index c825f22d0d..98aef5e1be 100644
--- a/man/man8/radiusd.8
+++ b/man/man8/radiusd.8
@@ -6,6 +6,8 @@ radiusd - Authentication, Authorization and Accounting server
.RB [ \-C ]
.RB [ \-d
.IR config_directory ]
+.RB [ \-D
+.IR dictionary_directory ]
.RB [ \-f ]
.RB [ \-h ]
.RB [ \-i
@@ -17,6 +19,7 @@ radiusd - Authentication, Authorization and Accounting server
.IR name ]
.RB [ \-p
.IR port ]
+.RB [ \-P ]
.RB [ \-s ]
.RB [ \-t ]
.RB [ \-v ]
@@ -55,6 +58,8 @@ configuration, and which modules are skipped, and therefore not checked.
.IP "\-d \fIconfig directory\fP"
Defaults to \fI/etc/raddb\fP. \fBRadiusd\fP looks here for its configuration
files such as the \fIdictionary\fP and the \fIusers\fP files.
+.IP "\-D \fIdictionary directory\fP"
+Set main dictionary directory. Defaults to \fI/usr/share/freeradius\fP.
.IP \-f
Do not fork, stay running as a foreground process.
.IP \-h
@@ -84,6 +89,8 @@ When this command-line option is given, all "listen" sections in
\fIradiusd.conf\fP are ignored.
This option MUST be used in conjunction with "-i".
+.IP "\-P
+Always write out PID, even with -f.
.IP \-s
Run in "single server" mode. The server normally runs with multiple
threads and/or processes, which can lower its response time to
diff --git a/man/man8/radmin.8 b/man/man8/radmin.8
index 5ecc963d81..5bf661fa71 100644
--- a/man/man8/radmin.8
+++ b/man/man8/radmin.8
@@ -5,6 +5,8 @@ radmin - FreeRADIUS Administration tool
.B radmin
.RB [ \-d
.IR config_directory ]
+.RB [ \-D
+.IR dictionary_directory ]
.RB [ \-e
.IR command ]
.RB [ \-E ]
@@ -34,6 +36,8 @@ The following command-line options are accepted by the program.
Defaults to \fI/etc/raddb\fP. \fBradmin\fP looks here for the server
configuration files to find the "listen" section that defines the
control socket filename.
+.IP "\-D \fIdictionary directory\fP"
+Set main dictionary directory. Defaults to \fI/usr/share/freeradius\fP.
.IP "\-e \fIcommand\fP"
Run \fIcommand\fP and exit.
.IP \-E
--
2.18.0

11553
freeradius-Backport-OpenSSL3-fixes.patch
View File

File diff suppressed because it is too large Load Diff

45
freeradius-EAP-PWD-curve-handling.patch Normal file
View File

@ -0,0 +1,45 @@
diff --git a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
index 7f91e4b230..848ca2055e 100644
--- a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
+++ b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
@@ -373,11 +373,26 @@ int process_peer_commit (pwd_session_t *session, uint8_t *in, size_t in_len, BN_
data_len = BN_num_bytes(session->order);
BN_bin2bn(ptr, data_len, session->peer_scalar);
+ /* validate received scalar */
+ if (BN_is_zero(session->peer_scalar) ||
+ BN_is_one(session->peer_scalar) ||
+ BN_cmp(session->peer_scalar, session->order) >= 0) {
+ ERROR("Peer's scalar is not within the allowed range");
+ goto finish;
+ }
+
if (!EC_POINT_set_affine_coordinates_GFp(session->group, session->peer_element, x, y, bnctx)) {
DEBUG2("pwd: unable to get coordinates of peer's element");
goto finish;
}
+ /* validate received element */
+ if (!EC_POINT_is_on_curve(session->group, session->peer_element, bnctx) ||
+ EC_POINT_is_at_infinity(session->group, session->peer_element)) {
+ ERROR("Peer's element is not a point on the elliptic curve");
+ goto finish;
+ }
+
/* check to ensure peer's element is not in a small sub-group */
if (BN_cmp(cofactor, BN_value_one())) {
if (!EC_POINT_mul(session->group, point, NULL, session->peer_element, cofactor, NULL)) {
@@ -391,6 +406,13 @@ int process_peer_commit (pwd_session_t *session, uint8_t *in, size_t in_len, BN_
}
}
+ /* detect reflection attacks */
+ if (BN_cmp(session->peer_scalar, session->my_scalar) == 0 ||
+ EC_POINT_cmp(session->group, session->peer_element, session->my_element, bnctx) == 0) {
+ ERROR("Reflection attack detected");
+ goto finish;
+ }
+
/* compute the shared key, k */
if ((!EC_POINT_mul(session->group, K, NULL, session->pwe, session->peer_scalar, bnctx)) ||
(!EC_POINT_add(session->group, K, K, session->peer_element, bnctx)) ||

38
freeradius-EAP-PWD-information-leak-10-iterations.patch Normal file
View File

@ -0,0 +1,38 @@
From 3ea2a5a026e73d81cd9a3e9bbd4300c433004bfa Mon Sep 17 00:00:00 2001
From: Mathy Vanhoef <mathy.vanhoef@nyu.edu>
Date: Wed, 5 Jun 2019 19:21:06 +0000
Subject: [PATCH] EAP-pwd: fix side-channel leak where 1 in 2018 handshakes
fail
Previously the Hunting and Pecking algorithm of EAP-pwd aborted when
more than 10 iterations are needed. Every iteration has a 50% chance
of finding the password element. This means one in every 2048 handshakes
will fail, in which case an error frame is sent to the client. This
event leaks information that can be abused in an offline password
brute-force attack. More precisely, the adversary learns that all 10
iterations failed for the given random EAP-pwd token. Using the same
techniques as in the Dragonblood attack, this can be used to brute-force
the password.
This patch fixes the above issue by executing enough iterations such that
the password element is always found eventually.
Note that timing and cache leaks remain a risk against the current
implementation of EAP-pwd.
---
src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
index c54f08c030..d94851c3aa 100644
--- a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
+++ b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
@@ -192,7 +192,7 @@ int compute_password_element (pwd_session_t *session, uint16_t grp_num,
}
ctr = 0;
while (1) {
- if (ctr > 10) {
+ if (ctr > 100) {
DEBUG("unable to find random point on curve for group %d, something's fishy", grp_num);
goto fail;
}

68
freeradius-OpenSSL-HMAC-MD5.patch Normal file
View File

@ -0,0 +1,68 @@
From b93796b1890b35a0922bfba9cd08e8a1a5f956cf Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Fri, 28 Sep 2018 09:54:46 -0400
Subject: [PATCH 1/2] Replace HMAC-MD5 implementation with OpenSSL's
If OpenSSL EVP is not found, fallback to internal implementation of
HMAC-MD5.
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
src/lib/hmacmd5.c | 34 +++++++++++++++++++++++++++++++++-
1 file changed, 33 insertions(+), 1 deletion(-)
diff --git a/src/lib/hmacmd5.c b/src/lib/hmacmd5.c
index 2c662ff368..1cca00fa2a 100644
--- a/src/lib/hmacmd5.c
+++ b/src/lib/hmacmd5.c
@@ -27,10 +27,41 @@
RCSID("$Id: 2c662ff368e46556edd2cfdf408bd0fca0ab5f18 $")
+#ifdef HAVE_OPENSSL_EVP_H
+#include <openssl/hmac.h>
+#include <openssl/evp.h>
+#endif
+
#include <freeradius-devel/libradius.h>
#include <freeradius-devel/md5.h>
-/** Calculate HMAC using MD5
+#ifdef HAVE_OPENSSL_EVP_H
+/** Calculate HMAC using OpenSSL's MD5 implementation
+ *
+ * @param digest Caller digest to be filled in.
+ * @param text Pointer to data stream.
+ * @param text_len length of data stream.
+ * @param key Pointer to authentication key.
+ * @param key_len Length of authentication key.
+ *
+ */
+void fr_hmac_md5(uint8_t digest[MD5_DIGEST_LENGTH], uint8_t const *text, size_t text_len,
+ uint8_t const *key, size_t key_len)
+{
+ HMAC_CTX *ctx = HMAC_CTX_new();
+
+#ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW
+ /* Since MD5 is not allowed by FIPS, explicitly allow it. */
+ HMAC_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+#endif /* EVP_MD_CTX_FLAG_NON_FIPS_ALLOW */
+
+ HMAC_Init_ex(ctx, key, key_len, EVP_md5(), NULL);
+ HMAC_Update(ctx, text, text_len);
+ HMAC_Final(ctx, digest, NULL);
+ HMAC_CTX_free(ctx);
+}
+#else
+/** Calculate HMAC using internal MD5 implementation
*
* @param digest Caller digest to be filled in.
* @param text Pointer to data stream.
@@ -101,6 +132,7 @@
* hash */
fr_md5_final(digest, &context); /* finish up 2nd pass */
}
+#endif /* HAVE_OPENSSL_EVP_H */
/*
Test Vectors (Trailing '\0' of a character string not included in test):

73
freeradius-OpenSSL-HMAC-SHA1.patch Normal file
View File

@ -0,0 +1,73 @@
From 91f663ce1b46ecd99399023ad539f158419272e7 Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Fri, 28 Sep 2018 11:03:52 -0400
Subject: [PATCH 2/2] Replace HMAC-SHA1 implementation with OpenSSL's
If OpenSSL EVP is not found, fallback to internal implementation of
HMAC-SHA1.
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
src/lib/hmacsha1.c | 29 ++++++++++++++++++++++++++++-
1 file changed, 28 insertions(+), 1 deletion(-)
diff --git a/src/lib/hmacsha1.c b/src/lib/hmacsha1.c
index c3cbd87a2c..211470ea35 100644
--- a/src/lib/hmacsha1.c
+++ b/src/lib/hmacsha1.c
@@ -10,13 +10,19 @@
RCSID("$Id: c3cbd87a2c13c47da93fdb1bdfbf6da4c22aaac5 $")
+#ifdef HAVE_OPENSSL_EVP_H
+#include <openssl/hmac.h>
+#include <openssl/evp.h>
+#endif
+
#include <freeradius-devel/libradius.h>
#ifdef HMAC_SHA1_DATA_PROBLEMS
unsigned int sha1_data_problems = 0;
#endif
-/** Calculate HMAC using SHA1
+#ifdef HAVE_OPENSSL_EVP_H
+/** Calculate HMAC using OpenSSL's SHA1 implementation
*
* @param digest Caller digest to be filled in.
* @param text Pointer to data stream.
@@ -28,6 +34,26 @@
void fr_hmac_sha1(uint8_t digest[SHA1_DIGEST_LENGTH], uint8_t const *text, size_t text_len,
uint8_t const *key, size_t key_len)
{
+ HMAC_CTX *ctx = HMAC_CTX_new();
+ HMAC_Init_ex(ctx, key, key_len, EVP_sha1(), NULL);
+ HMAC_Update(ctx, text, text_len);
+ HMAC_Final(ctx, digest, NULL);
+ HMAC_CTX_free(ctx);
+}
+
+#else
+
+/** Calculate HMAC using internal SHA1 implementation
+ *
+ * @param digest Caller digest to be filled in.
+ * @param text Pointer to data stream.
+ * @param text_len length of data stream.
+ * @param key Pointer to authentication key.
+ * @param key_len Length of authentication key.
+ */
+void fr_hmac_sha1(uint8_t digest[SHA1_DIGEST_LENGTH], uint8_t const *text, size_t text_len,
+ uint8_t const *key, size_t key_len)
+{
fr_sha1_ctx context;
uint8_t k_ipad[65]; /* inner padding - key XORd with ipad */
uint8_t k_opad[65]; /* outer padding - key XORd with opad */
@@ -142,6 +168,7 @@
}
#endif
}
+#endif /* HAVE_OPENSSL_EVP_H */
/*
Test Vectors (Trailing '\0' of a character string not included in test):

21
freeradius-autogen.sh Normal file
View File

@ -0,0 +1,21 @@
#!/bin/sh -e
parentdir=`dirname $0`
cd $parentdir
parentdir=`pwd`
libtoolize -f -c
#aclocal
autoheader
autoconf
mysubdirs="$mysubdirs `find src/modules/ -name configure -print | sed 's%/configure%%'`"
mysubdirs=`echo $mysubdirs`
for F in $mysubdirs
do
echo "Configuring in $F..."
(cd $F && grep "^AC_CONFIG_HEADER" configure.in > /dev/null && autoheader -I$parentdir)
(cd $F && autoconf -I$parentdir)
done

136
freeradius-bootstrap-pass-noenc-to-certificate-generation.patch
View File

@ -1,136 +0,0 @@
From e089777942552c4fe3e58aa328566e7bb745dbf8 Mon Sep 17 00:00:00 2001
From: Antonio Torres <antorres@redhat.com>
Date: Fri, 22 Apr 2022 12:27:43 +0200
Subject: [PATCH] bootstrap: pass -noenc to certificate generation
Bootstrap script would fail to generate certificates if run on systems
with FIPS enabled. By passing the -noenc option, we can skip the usage
of unsupported algorithms on these systems.
After generating the certificates, correct permissions are set.
Signed-off-by: Antonio Torres <antorres@redhat.com>
[antorres@redhat.com]: patch adapted to work together with freeradius-bootstrap-create-only.patch.
In bootstrap diff, -f is changed to -e in conditionals.
---
raddb/certs/Makefile | 20 ++++++++++++++++----
raddb/certs/bootstrap | 6 +++---
2 files changed, 19 insertions(+), 7 deletions(-)
diff --git a/raddb/certs/Makefile b/raddb/certs/Makefile
index 5cbfd467ce..cb10394ec3 100644
--- a/raddb/certs/Makefile
+++ b/raddb/certs/Makefile
@@ -60,6 +60,8 @@ passwords.mk: server.cnf ca.cnf client.cnf inner-server.cnf
######################################################################
dh:
$(OPENSSL) dhparam -out dh -2 $(DH_KEY_SIZE)
+ chown root:radiusd dh
+ chmod 640 dh
######################################################################
#
@@ -71,8 +73,10 @@ ca.key ca.pem: ca.cnf
@[ -f serial ] || $(MAKE) serial
$(OPENSSL) req -new -x509 -keyout ca.key -out ca.pem \
-days $(CA_DEFAULT_DAYS) -config ./ca.cnf \
- -passin pass:$(PASSWORD_CA) -passout pass:$(PASSWORD_CA)
+ -passin pass:$(PASSWORD_CA) -passout pass:$(PASSWORD_CA) -noenc
chmod g+r ca.key
+ chown root:radiusd ca.*
+ chmod 640 ca.*
ca.der: ca.pem
$(OPENSSL) x509 -inform PEM -outform DER -in ca.pem -out ca.der
@@ -81,6 +85,8 @@ ca.crl: ca.pem
$(OPENSSL) ca -gencrl -keyfile ca.key -cert ca.pem -config ./ca.cnf -out ca-crl.pem -key $(PASSWORD_CA)
$(OPENSSL) crl -in ca-crl.pem -outform der -out ca.crl
rm ca-crl.pem
+ chown root:radiusd ca.*
+ chmod 640 ca.*
######################################################################
#
@@ -88,7 +94,7 @@ ca.crl: ca.pem
#
######################################################################
server.csr server.key: server.cnf
- $(OPENSSL) req -new -out server.csr -keyout server.key -config ./server.cnf
+ $(OPENSSL) req -new -out server.csr -keyout server.key -config ./server.cnf -noenc
chmod g+r server.key
server.crt: server.csr ca.key ca.pem
@@ -101,6 +107,8 @@ server.p12: server.crt
server.pem: server.p12
$(OPENSSL) pkcs12 -in server.p12 -out server.pem -passin pass:$(PASSWORD_SERVER) -passout pass:$(PASSWORD_SERVER)
chmod g+r server.pem
+ chown root:radiusd server.*
+ chmod 640 server.*
.PHONY: server.vrfy
server.vrfy: ca.pem
@@ -113,7 +121,7 @@ server.vrfy: ca.pem
#
######################################################################
client.csr client.key: client.cnf
- $(OPENSSL) req -new -out client.csr -keyout client.key -config ./client.cnf
+ $(OPENSSL) req -new -out client.csr -keyout client.key -config ./client.cnf -noenc
chmod g+r client.key
client.crt: client.csr ca.pem ca.key
@@ -127,6 +135,8 @@ client.pem: client.p12
$(OPENSSL) pkcs12 -in client.p12 -out client.pem -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)
chmod g+r client.pem
cp client.pem $(USER_NAME).pem
+ chown root:radiusd client.*
+ chmod 640 client.*
.PHONY: client.vrfy
client.vrfy: ca.pem client.pem
@@ -139,7 +149,7 @@ client.vrfy: ca.pem client.pem
#
######################################################################
inner-server.csr inner-server.key: inner-server.cnf
- $(OPENSSL) req -new -out inner-server.csr -keyout inner-server.key -config ./inner-server.cnf
+ $(OPENSSL) req -new -out inner-server.csr -keyout inner-server.key -config ./inner-server.cnf -noenc
chmod g+r inner-server.key
inner-server.crt: inner-server.csr ca.key ca.pem
@@ -152,6 +162,8 @@ inner-server.p12: inner-server.crt
inner-server.pem: inner-server.p12
$(OPENSSL) pkcs12 -in inner-server.p12 -out inner-server.pem -passin pass:$(PASSWORD_INNER) -passout pass:$(PASSWORD_INNER)
chmod g+r inner-server.pem
+ chown root:radiusd inner-server.*
+ chmod 640 inner-server.*
.PHONY: inner-server.vrfy
inner-server.vrfy: ca.pem
diff --git a/raddb/certs/bootstrap b/raddb/certs/bootstrap
index 57de8cf0d7..c258ec45e0 100755
--- a/raddb/certs/bootstrap
+++ b/raddb/certs/bootstrap
@@ -41,12 +41,12 @@ if [ ! -f dh ]; then
fi
if [ ! -e server.key ]; then
- openssl req -new -out server.csr -keyout server.key -config ./server.cnf || exit 1
+ openssl req -new -out server.csr -keyout server.key -config ./server.cnf -noenc || exit 1
chmod g+r server.key
fi
if [ ! -e ca.key ]; then
- openssl req -new -x509 -keyout ca.key -out ca.pem -days `grep default_days ca.cnf | sed 's/.*=//;s/^ *//'` -config ./ca.cnf || exit 1
+ openssl req -new -x509 -keyout ca.key -out ca.pem -days `grep default_days ca.cnf | sed 's/.*=//;s/^ *//'` -config ./ca.cnf -noenc || exit 1
fi
if [ ! -e index.txt ]; then
@@ -77,7 +77,7 @@ if [ ! -f ca.der ]; then
fi
if [ ! -e client.key ]; then
- openssl req -new -out client.csr -keyout client.key -config ./client.cnf
+ openssl req -new -out client.csr -keyout client.key -config ./client.cnf -noenc
chmod g+r client.key
fi

31
freeradius-ldap-infinite-timeout-on-starttls.patch
View File

@ -1,31 +0,0 @@
From: Antonio Torres <antorres@redhat.com>
Date: Fri, 28 Jan 2022
Subject: Use infinite timeout when using LDAP+start-TLS
This will ensure that the TLS connection to the LDAP server will complete
before starting FreeRADIUS, as it forces libldap to use a blocking socket during
the process. Infinite timeout is the OpenLDAP default.
Avoids this: https://git.openldap.org/openldap/openldap/-/blob/87ffc60006298069a5a044b8e63dab27a61d3fdf/libraries/libldap/tls2.c#L1134
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1992551
Signed-off-by: Antonio Torres <antorres@redhat.com>
---
src/modules/rlm_ldap/ldap.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/src/modules/rlm_ldap/ldap.c b/src/modules/rlm_ldap/ldap.c
index cf7a84e069..841bf888a1 100644
--- a/src/modules/rlm_ldap/ldap.c
+++ b/src/modules/rlm_ldap/ldap.c
@@ -1472,7 +1472,10 @@ void *mod_conn_create(TALLOC_CTX *ctx, void *instance)
}
#ifdef LDAP_OPT_NETWORK_TIMEOUT
- if (inst->net_timeout) {
+ bool using_tls = inst->start_tls ||
+ inst->port == 636 ||
+ strncmp(inst->server, "ldaps://", strlen("ldaps://")) == 0;
+ if (inst->net_timeout && !using_tls) {
memset(&tv, 0, sizeof(tv));
tv.tv_sec = inst->net_timeout;

42
freeradius-listen-ipv6-fix.patch Normal file
View File

@ -0,0 +1,42 @@
From 98510efd0e2930d8924b47009945a0fb1bd75a29 Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Mon, 22 Apr 2019 14:38:19 -0400
Subject: [PATCH] Allow listen.ipaddr to reference an IPv6-only host
In 5452b13cefa3b30f1da467ff5d68b3c1aa471188, these lines were added
which effectively result in a listen.ipaddr only allowing hostnames to
resolve to IPv4 addresses. With a hostname with only a IPv6 address,
it'll bail with the error message:
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
Failed resolving "ipv6.cipherboy.com" to IPv4 address:
Name or service not known
This directly contradicts the language in the default configuration
file, so support resolving both IPv4-only and IPv6-only hostnames.
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
src/lib/misc.c | 7 -------
1 file changed, 7 deletions(-)
diff --git a/src/lib/misc.c b/src/lib/misc.c
index dff21e33f7..5520d8a0a4 100644
--- a/src/lib/misc.c
+++ b/src/lib/misc.c
@@ -607,13 +607,6 @@ int fr_pton(fr_ipaddr_t *out, char const *value, ssize_t inlen, int af, bool res
fr_strerror_printf("Invalid address");
return -1;
}
-
- /*
- * Fall through to resolving the address, using
- * whatever address family they prefer. If they
- * don't specify an address family, force IPv4.
- */
- if (af == AF_UNSPEC) af = AF_INET;
}
/*

64
freeradius-python2-shebangs.patch Normal file
View File

@ -0,0 +1,64 @@
From b8a6ac05977845851f02151ca35c3a51e88bd534 Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Thu, 18 Oct 2018 12:40:53 -0400
Subject: [PATCH] Clarify shebangs to be python2
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
scripts/radtee | 2 +-
src/modules/rlm_python/example.py | 2 +-
src/modules/rlm_python/prepaid.py | 2 +-
src/modules/rlm_python/radiusd.py | 2 +-
src/modules/rlm_python/radiusd_test.py | 2 +-
5 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/scripts/radtee b/scripts/radtee
index 123769d244..78b4bcbe0b 100755
--- a/scripts/radtee
+++ b/scripts/radtee
@@ -1,4 +1,4 @@
-#!/usr/bin/env python
+#!/usr/bin/env python2
from __future__ import with_statement
# RADIUS comparison tee v1.0
diff --git a/src/modules/rlm_python/example.py b/src/modules/rlm_python/example.py
index 5950a07678..eaf456e349 100644
--- a/src/modules/rlm_python/example.py
+++ b/src/modules/rlm_python/example.py
@@ -1,4 +1,4 @@
-#! /usr/bin/env python
+#! /usr/bin/env python2
#
# Python module example file
# Miguel A.L. Paraz <mparaz@mparaz.com>
diff --git a/src/modules/rlm_python/prepaid.py b/src/modules/rlm_python/prepaid.py
index c3cbf57b8f..3b1dc2e2e8 100644
--- a/src/modules/rlm_python/prepaid.py
+++ b/src/modules/rlm_python/prepaid.py
@@ -1,4 +1,4 @@
-#! /usr/bin/env python
+#! /usr/bin/env python2
#
# Example Python module for prepaid usage using MySQL
diff --git a/src/modules/rlm_python/radiusd.py b/src/modules/rlm_python/radiusd.py
index c535bb3caf..7129923994 100644
--- a/src/modules/rlm_python/radiusd.py
+++ b/src/modules/rlm_python/radiusd.py
@@ -1,4 +1,4 @@
-#! /usr/bin/env python
+#! /usr/bin/env python2
#
# Definitions for RADIUS programs
#
diff --git a/src/modules/rlm_python/radiusd_test.py b/src/modules/rlm_python/radiusd_test.py
index 13b7128b29..97b5b64f08 100644
--- a/src/modules/rlm_python/radiusd_test.py
+++ b/src/modules/rlm_python/radiusd_test.py
@@ -1,4 +1,4 @@
-#! /usr/bin/env python
+#! /usr/bin/env python2
#
# Python module test
# Miguel A.L. Paraz <mparaz@mparaz.com>

113
freeradius-radiusd-init Normal file
View File

@ -0,0 +1,113 @@
#!/bin/sh
#
# radiusd Start/Stop the FreeRADIUS daemon
#
# chkconfig: - 88 10
# description: Extensible, configurable, high performance RADIUS server.
### BEGIN INIT INFO
# Provides: radiusd
# Required-Start: $network
# Required-Stop:
# Default-Start:
# Default-Stop:
# Should-Start: $time $syslog mysql ldap postgresql samba krb5-kdc
# Should-Stop:
# Short-Description: FreeRADIUS server
# Description: Extensible, configurable, high performance RADIUS server.
### END INIT INFO
# Source function library.
. /etc/rc.d/init.d/functions
prog=radiusd
[ -e /etc/sysconfig/$prog ] && . /etc/sysconfig/$prog
exec=${exec:=/usr/sbin/$prog}
config_dir=${config_dir:=/etc/raddb}
config=${config:=$config_dir/radiusd.conf}
pidfile=${pidfile:=/var/run/$prog/$prog.pid}
lockfile=${lockfile:=/var/lock/subsys/radiusd}
start() {
[ -x $exec ] || exit 5
[ -f $config ] || exit 6
echo -n $"Starting $prog: "
daemon --pidfile $pidfile $exec -d $config_dir
retval=$?
echo
[ $retval -eq 0 ] && touch $lockfile
return $retval
}
stop() {
echo -n $"Stopping $prog: "
killproc -p $pidfile $prog
retval=$?
echo
[ $retval -eq 0 ] && rm -f $lockfile
return $retval
}
restart() {
stop
start
}
reload() {
# radiusd may not be capable of a 100% configuration reload depending
# on which loadable modules are in use, if sending the server a
# HUP is not sufficient then use restart here instead. However, we
# prefer by default to use HUP since it's what is usually desired.
#
# restart
kill -HUP `pidofproc -p $pidfile $prog`
}
force_reload() {
restart
}
rh_status() {
# run checks to determine if the service is running or use generic status
status -p $pidfile $prog
}
rh_status_q() {
rh_status >/dev/null 2>&1
}
case "$1" in
start)
rh_status_q && exit 0
$1
;;
stop)
rh_status_q || exit 0
$1
;;
restart)
$1
;;
reload)
rh_status_q || exit 7
$1
;;
force-reload)
force_reload
;;
status)
rh_status
;;
condrestart|try-restart)
rh_status_q || exit 0
restart
;;
*)
echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload}"
exit 2
esac
exit $?

3
freeradius.sysusers
View File

@ -1,3 +0,0 @@
#Type Name ID GECOS Home directory Shell
u radiusd 95 "radiusd user" /var/lib/radiusd /sbin/nologin
g radiusd 95 - - -

2
gating.yaml
View File

@ -1,6 +1,6 @@
--- !Policy
product_versions:
- rhel-9
- rhel-8
decision_context: osci_compose_gate
rules:
- !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.functional}

3
rpminspect.yaml
View File

@ -1,3 +1,6 @@
---
inspections:
badfuncs: off
runpath:
allowed_paths:
- /usr/lib64

36
tests/auth-tests/Makefile
View File

@ -1,36 +0,0 @@
# SPDX-License-Identifier: LGPL-2.1+
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Makefile of /CoreOS/freeradius
# Description: Test if freeradius authentication workd ok
# Author: Susant Sahani<susant@redhat.com>
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
export TEST=/CoreOS/freeradius
export TESTVERSION=1.0
BUILT_FILES=
FILES=$(METADATA) runtest.sh Makefile PURPOSE
.PHONY: all install download clean
run: $(FILES) build
./runtest.sh
build: $(BUILT_FILES)
test -x runtest.sh || chmod a+x runtest.sh
clean:
rm -f *~ $(BUILT_FILES)
include /usr/share/rhts/lib/rhts-make.include
$(METADATA): Makefile
@echo "Owner: Susant Sahani<susant@redhat.com>" > $(METADATA)
@echo "Name: $(TEST)" >> $(METADATA)
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
@echo "Path: $(TEST_DIR)" >> $(METADATA)
@echo "Description: Test if the ABI hasn't changed" >> $(METADATA)
@echo "Type: Sanity" >> $(METADATA)
@echo "TestTime: 5m" >> $(METADATA)
@echo "RunFor: freeradius" >> $(METADATA)
@echo "Requires: freeradius freeradius-utils python3 python3-psutil" >> $(METADATA)
@echo "Priority: Normal" >> $(METADATA)
@echo "License: GPLv2" >> $(METADATA)
@echo "Confidential: no" >> $(METADATA)
@echo "Destructive: no" >> $(METADATA)
@echo "Releases: -Fedora 28" >> $(METADATA)
rhts-lint $(METADATA)

3
tests/auth-tests/PURPOSE
View File

@ -1,3 +0,0 @@
PURPOSE of /CoreOS/freeradius
Description: tests for freeradius
Author: Susant Sahani<susant@redhat.com>

2
tests/auth-tests/authorize
View File

@ -1,2 +0,0 @@
fedora-ci Cleartext-Password := "password"
Reply-Message = "Hello, %{User-Name}"

6
tests/auth-tests/clients.conf
View File

@ -1,6 +0,0 @@
client localhost {
ipaddr = 127.0.0.1
secret = testing123
require_message_authenticator = no
nastype = other
}

68
tests/auth-tests/freeradius-tests.py
View File

@ -1,68 +0,0 @@
#!/usr/bin/env python3
# SPDX-License-Identifier: LGPL-2.1+
# ~~~
# Description: Tests for freeradius
#
# Author: Susant Sahani <susant@redhat.com>
# Copyright (c) 2018 Red Hat, Inc.
# ~~~
import errno
import os
import sys
import time
import unittest
import subprocess
import signal
import shutil
import psutil
import socket
RADIUSD_PID_FILE='/var/run/radiusd/radiusd.pid'
def setUpModule():
"""Initialize the environment, and perform sanity checks on it."""
if shutil.which('radiusd') is None:
raise OSError(errno.ENOENT, 'radiusd not found')
if shutil.which('radtest') is None:
raise OSError(errno.ENOENT, 'radtest not found')
if subprocess.call(['systemctl', 'is-active', '--quiet',
'radiusd.service']) == 0:
raise unittest.SkipTest('radiusd.service is already active')
def tearDownModule():
pass
class GenericUtilities():
"""Provide a set of utility functions start stop daemons. write config files etc """
def StartRadiusServer(self):
"""Start radiusd"""
subprocess.check_output(['systemctl', 'start', 'radiusd'])
def StopRadiusServer(self):
"""stop radiusd"""
subprocess.check_output(['systemctl', 'stop', 'radiusd'])
class RadiousTests(unittest.TestCase, GenericUtilities):
def setUp(self):
self.StartRadiusServer()
def tearDown(self):
self.StopRadiusServer()
def test_radius_plaintext_auth(self):
time.sleep(1)
output=subprocess.check_output(['radtest', 'fedora-ci', 'password', '127.0.0.1', '100', 'testing123']).rstrip().decode('utf-8')
print(output)
self.assertRegex(output, "Received Access-Accept")
self.assertRegex(output, "Reply-Message = \"Hello, fedora-ci\"")
if __name__ == '__main__':
unittest.main(testRunner=unittest.TextTestRunner(stream=sys.stdout,
verbosity=3))

70
tests/auth-tests/runtest.sh
View File

@ -1,70 +0,0 @@
#!/bin/bash
# SPDX-License-Identifier: LGPL-2.1+
# ~~~
# runtest.sh of freeradius
# Description: RADIUS server
#
# Author: Susant Sahani <susant@redhat.com>
# Copyright (c) 2018 Red Hat, Inc.
# ~~~
# Include Beaker environment
. /usr/share/beakerlib/beakerlib.sh || exit 1
PACKAGE="freeradius"
RADIUS_CLIENT_CONF="/etc/raddb/clients.conf"
RADIUD_PALIN_TEXT_AUTH_FILE="/etc/raddb/mods-config/files/authorize"
generate_cert(){
pushd /etc/raddb/certs/
#remove certificates if exists;generate new certificates
if [[ -f /etc/raddb/certs/bootstrap ]]; then
rlLog "Destroy and create new default certificates via bootstrap script"
rm -f *.pem *.der *.csr *.crt *.key *.p12 serial* index.txt* dh
rlRun "sh /etc/raddb/certs/bootstrap" 0 "Gnenerating certificates"
else
rlLogWarning "!!! WARNING bootsrap file does not exist !!!"
rlLog "Destroy and create new default certificates via make scripts"
make destroycerts -C /etc/raddb/certs/
#create new certificates
make -C /etc/raddb/certs/
chown root:radiusd dh ca.* client.* server.*
chmod 640 dh ca.* client.* server.*
fi
popd
}
rlJournalStart
rlPhaseStartSetup
rlAssertRpm $PACKAGE
rlRun "systemctl stop firewalld" 0,5
rlRun "systemctl stop radiusd.service"
rlRun "setenforce 0"
rlFileBackup "$RADIUS_CLIENT_CONF"
rlFileBackup "$RADIUD_PALIN_TEXT_AUTH_FILE"
rlRun "cp freeradius-tests.py /usr/bin/"
rlRun "cp clients.conf $RADIUS_CLIENT_CONF"
rlRun "cp authorize $RADIUD_PALIN_TEXT_AUTH_FILE"
rlRun "systemctl daemon-reload"
#manually generate default certificates
generate_cert
rlPhaseEnd
rlPhaseStartTest
rlLog "Starting radius auth tests ..."
rlRun "/usr/bin/python3 /usr/bin/freeradius-tests.py"
rlPhaseEnd
rlPhaseStartCleanup
rlRun "rm /usr/bin/freeradius-tests.py"
rlRun "systemctl start firewalld" 0,5
rlRun "setenforce 1"
rlFileRestore
rlLog "freeradius tests done"
rlPhaseEnd
rlJournalPrintText
rlJournalEnd
rlGetTestState

12
tests/tests.yml
View File

@ -1,12 +0,0 @@
- hosts: localhost
roles:
- role: standard-test-beakerlib
tags:
- classic
tests:
- auth-tests
required_packages:
- python3
- systemd
- freeradius
- freeradius-utils