re-import sources as agreed with the maintainer
This commit is contained in:
parent
dd475a62c3
commit
a7b5fbfaff
33
.gitignore
vendored
33
.gitignore
vendored
@ -1,2 +1,33 @@
|
|||||||
SOURCES/freeradius-server-3.0.20.tar.bz2
|
# Ignore build artifacts and signatures
|
||||||
|
*.sig
|
||||||
|
.build*.log
|
||||||
|
freeradius-server-*/
|
||||||
|
x86_64/
|
||||||
|
freeradius-*.src.rpm
|
||||||
|
|
||||||
|
# Automatically added
|
||||||
|
/freeradius-server-2.1.9.tar.bz2
|
||||||
|
/freeradius-server-2.1.10.tar.bz2
|
||||||
|
/freeradius-server-2.1.11.tar.bz2
|
||||||
|
/freeradius-server-2.1.12.tar.bz2
|
||||||
|
/freeradius-server-2.2.0.tar.bz2
|
||||||
|
/freeradius-server-release_3_0_0_rc0.tar.gz
|
||||||
|
/freeradius-server-release_3_0_0_rc1.tar.gz
|
||||||
|
/freeradius-server-3.0.0.tar.bz2
|
||||||
|
/freeradius-server-3.0.1.tar.bz2
|
||||||
|
/freeradius-server-3.0.2.tar.bz2
|
||||||
|
/freeradius-server-3.0.3.tar.bz2
|
||||||
|
/freeradius-server-3.0.4rc2.tar.bz2
|
||||||
|
/freeradius-server-3.0.4.tar.bz2
|
||||||
|
/freeradius-server-3.0.7.tar.bz2
|
||||||
|
/freeradius-server-3.0.8.tar.bz2
|
||||||
|
/freeradius-server-3.0.9.tar.bz2
|
||||||
|
/freeradius-server-3.0.10.tar.bz2
|
||||||
|
/freeradius-server-3.0.11.tar.bz2
|
||||||
|
/freeradius-server-3.0.12.tar.bz2
|
||||||
|
/freeradius-server-3.0.13.tar.bz2
|
||||||
|
/freeradius-server-3.0.14.tar.bz2
|
||||||
|
/freeradius-server-3.0.15.tar.bz2
|
||||||
|
/release_3_0_17.tar.gz
|
||||||
|
/freeradius-server-3.0.17.tar.bz2
|
||||||
/freeradius-server-3.0.20.tar.bz2
|
/freeradius-server-3.0.20.tar.bz2
|
||||||
|
385
find_module_deps
Normal file
385
find_module_deps
Normal file
@ -0,0 +1,385 @@
|
|||||||
|
#!/usr/bin/env python
|
||||||
|
|
||||||
|
import exceptions
|
||||||
|
import getopt
|
||||||
|
import os
|
||||||
|
import re
|
||||||
|
import rpm
|
||||||
|
import select
|
||||||
|
import subprocess
|
||||||
|
import sys
|
||||||
|
|
||||||
|
#------------------------------------------------------------------------------
|
||||||
|
|
||||||
|
def get_rlms(root):
|
||||||
|
rlm_re = re.compile(r'^rlm_')
|
||||||
|
version_re = re.compile(r'-[0-9.]+\.so$')
|
||||||
|
names = os.listdir(root)
|
||||||
|
names = [x for x in names if rlm_re.search(x)]
|
||||||
|
names = [x for x in names if not version_re.search(x)]
|
||||||
|
names.sort()
|
||||||
|
return names
|
||||||
|
|
||||||
|
#------------------------------------------------------------------------------
|
||||||
|
|
||||||
|
debug = False
|
||||||
|
verbose = False
|
||||||
|
|
||||||
|
exclude_rpms = ['glibc']
|
||||||
|
|
||||||
|
build = '2.0.2-1.fc8'
|
||||||
|
root_template = '/var/tmp/freeradius-%s-root-jdennis/usr/lib/freeradius'
|
||||||
|
libdirs = ['/lib','/usr/lib']
|
||||||
|
|
||||||
|
#------------------------------------------------------------------------------
|
||||||
|
|
||||||
|
def get_rpm_nvr_from_header(hdr):
|
||||||
|
'Given an RPM header return the package NVR as a string'
|
||||||
|
name = hdr['name']
|
||||||
|
version = hdr['version']
|
||||||
|
release = hdr['release']
|
||||||
|
|
||||||
|
return "%s-%s-%s" % (name, version, release)
|
||||||
|
|
||||||
|
def get_rpm_hdr_by_file_path(path):
|
||||||
|
if path is None:
|
||||||
|
return None
|
||||||
|
|
||||||
|
hdr = None
|
||||||
|
try:
|
||||||
|
ts = rpm.ts()
|
||||||
|
mi = ts.dbMatch(rpm.RPMTAG_BASENAMES, path)
|
||||||
|
for hdr in mi: break
|
||||||
|
except Exception, e:
|
||||||
|
print >> sys.stderr, "failed to retrieve rpm hdr for %s, %s" %(path, e)
|
||||||
|
hdr = None
|
||||||
|
return hdr
|
||||||
|
|
||||||
|
def get_rpm_nvr_by_file_path(path):
|
||||||
|
if path is None:
|
||||||
|
return None
|
||||||
|
|
||||||
|
hdr = get_rpm_hdr_by_file_path(path)
|
||||||
|
if not hdr:
|
||||||
|
print >> sys.stderr, "failed to retrieve rpm info for %s" %(path)
|
||||||
|
nvr = get_rpm_nvr_from_header(hdr)
|
||||||
|
return nvr
|
||||||
|
|
||||||
|
def get_rpm_name_by_file_path(path):
|
||||||
|
if path is None:
|
||||||
|
return None
|
||||||
|
|
||||||
|
hdr = get_rpm_hdr_by_file_path(path)
|
||||||
|
if not hdr:
|
||||||
|
print >> sys.stderr, "failed to retrieve rpm info for %s" %(path)
|
||||||
|
name = hdr['name']
|
||||||
|
return name
|
||||||
|
|
||||||
|
#------------------------------------------------------------------------------
|
||||||
|
|
||||||
|
class CmdError(exceptions.Exception):
|
||||||
|
def __init__(self, errno, msg):
|
||||||
|
self.errno = errno
|
||||||
|
self.msg = msg
|
||||||
|
|
||||||
|
|
||||||
|
class Command:
|
||||||
|
def __init__(self, cmd):
|
||||||
|
self.cmd = cmd
|
||||||
|
self.sub_process = None
|
||||||
|
self.bufsize = 1024
|
||||||
|
self.stdout_buf = ''
|
||||||
|
self.stderr_buf = ''
|
||||||
|
self.stdout_lines = []
|
||||||
|
self.stderr_lines = []
|
||||||
|
|
||||||
|
def run(self, stdout_callback=None, stderr_callback=None):
|
||||||
|
self.sub_process = subprocess.Popen(self.cmd, \
|
||||||
|
stdin=None, stdout=subprocess.PIPE, stderr=subprocess.PIPE, \
|
||||||
|
close_fds=True, shell=True)
|
||||||
|
self.stdout = self.sub_process.stdout
|
||||||
|
self.stderr = self.sub_process.stderr
|
||||||
|
|
||||||
|
read_watch = [self.stdout, self.stderr]
|
||||||
|
while read_watch:
|
||||||
|
readable = select.select(read_watch, [], [])[0]
|
||||||
|
for fd in readable:
|
||||||
|
if fd == self.stdout:
|
||||||
|
data = os.read(fd.fileno(), self.bufsize)
|
||||||
|
if not data:
|
||||||
|
read_watch.remove(fd)
|
||||||
|
else:
|
||||||
|
self.stdout_buf += data
|
||||||
|
for line in self.burst_lines('stdout_buf'):
|
||||||
|
if stdout_callback: stdout_callback(line)
|
||||||
|
self.stdout_lines.append(line)
|
||||||
|
if fd == self.stderr:
|
||||||
|
data = os.read(fd.fileno(), self.bufsize)
|
||||||
|
if not data:
|
||||||
|
read_watch.remove(fd)
|
||||||
|
else:
|
||||||
|
self.stderr_buf += data
|
||||||
|
for line in self.burst_lines('stderr_buf'):
|
||||||
|
if stdout_callback: stderr_callback(line)
|
||||||
|
self.stderr_lines.append(line)
|
||||||
|
|
||||||
|
self.returncode = self.sub_process.wait()
|
||||||
|
if self.returncode:
|
||||||
|
raise CmdError(self.returncode, "cmd \"%s\"\nreturned status %d\n%s" % (self.cmd, self.returncode, ''.join(self.stderr_lines)))
|
||||||
|
|
||||||
|
return self.returncode
|
||||||
|
|
||||||
|
def burst_lines(self, what):
|
||||||
|
buf = getattr(self, what)
|
||||||
|
start = 0
|
||||||
|
end = buf.find('\n', start)
|
||||||
|
while end >= 0:
|
||||||
|
end += 1 # include newline
|
||||||
|
line = buf[start:end]
|
||||||
|
yield line
|
||||||
|
start = end
|
||||||
|
end = buf.find('\n', start)
|
||||||
|
buf = buf[start:]
|
||||||
|
setattr(self, what, buf)
|
||||||
|
|
||||||
|
|
||||||
|
#------------------------------------------------------------------------------
|
||||||
|
|
||||||
|
def get_so_requires(path):
|
||||||
|
requires = {}
|
||||||
|
cmd = 'ldd %s' % (path)
|
||||||
|
so_re = re.compile(r'^\s*(\S+)\s+=>\s+(\S+)')
|
||||||
|
|
||||||
|
c = Command(cmd)
|
||||||
|
status = c.run()
|
||||||
|
|
||||||
|
for line in c.stdout_lines:
|
||||||
|
line = line.strip()
|
||||||
|
match = so_re.search(line)
|
||||||
|
if match:
|
||||||
|
so_name = match.group(1)
|
||||||
|
if match.group(2).startswith('/'):
|
||||||
|
so_path = match.group(2)
|
||||||
|
else:
|
||||||
|
so_path = None
|
||||||
|
|
||||||
|
requires[so_name] = so_path
|
||||||
|
return requires
|
||||||
|
|
||||||
|
def get_so_needed(path):
|
||||||
|
needed = []
|
||||||
|
cmd = 'readelf -d %s' % (path)
|
||||||
|
so_re = re.compile(r'\(NEEDED\)\s+Shared library:\s+\[([^\]]+)\]')
|
||||||
|
|
||||||
|
c = Command(cmd)
|
||||||
|
status = c.run()
|
||||||
|
|
||||||
|
for line in c.stdout_lines:
|
||||||
|
line = line.strip()
|
||||||
|
match = so_re.search(line)
|
||||||
|
if match:
|
||||||
|
so_name = match.group(1)
|
||||||
|
needed.append(so_name)
|
||||||
|
return needed
|
||||||
|
|
||||||
|
def format_size(size):
|
||||||
|
if size > 1000000000:
|
||||||
|
return '%.1f GB' % (size/1000000000.0)
|
||||||
|
if size > 1000000:
|
||||||
|
return '%.1f MB' % (size/1000000.0)
|
||||||
|
if size > 1000:
|
||||||
|
return '%.1f KB' % (size/1000.0)
|
||||||
|
return '%d' % (size)
|
||||||
|
#------------------------------------------------------------------------------
|
||||||
|
|
||||||
|
class RPM_Prop:
|
||||||
|
def __init__(self, path=None, name=None):
|
||||||
|
self.name = name
|
||||||
|
self.paths = {}
|
||||||
|
self.rpm_hdr = None
|
||||||
|
self.used_by = {}
|
||||||
|
if path:
|
||||||
|
self.register_path(path)
|
||||||
|
if not self.rpm_hdr:
|
||||||
|
self.rpm_hdr = get_rpm_hdr_by_file_path(path)
|
||||||
|
if self.rpm_hdr:
|
||||||
|
if not self.name:
|
||||||
|
self.name = self.rpm_hdr[rpm.RPMTAG_NAME]
|
||||||
|
self.size = self.rpm_hdr[rpm.RPMTAG_SIZE]
|
||||||
|
|
||||||
|
def __str__(self):
|
||||||
|
return "name=%s paths=%s" % (self.name, ','.join(self.paths.keys()))
|
||||||
|
|
||||||
|
def register_path(self, path, name=None):
|
||||||
|
if debug: print "%s.register_path: path=%s" % (self.__class__.__name__, path)
|
||||||
|
return self.paths.setdefault(path, path)
|
||||||
|
|
||||||
|
class RPM_Collection:
|
||||||
|
def __init__(self):
|
||||||
|
self.names = {}
|
||||||
|
self.paths = {}
|
||||||
|
|
||||||
|
def __str__(self):
|
||||||
|
text = ''
|
||||||
|
names = self.get_names()
|
||||||
|
for name in names:
|
||||||
|
text += "%s: %s\n" % (name, self.names[name])
|
||||||
|
return text
|
||||||
|
|
||||||
|
def register_path(self, path):
|
||||||
|
if debug: print "%s.register_path: path=%s" % (self.__class__.__name__, path)
|
||||||
|
rpm_prop = self.paths.get(path)
|
||||||
|
if not rpm_prop:
|
||||||
|
rpm_prop = self.paths.setdefault(path, RPM_Prop(path=path))
|
||||||
|
self.names.setdefault(rpm_prop.name, rpm_prop)
|
||||||
|
return rpm_prop
|
||||||
|
|
||||||
|
def get_names(self):
|
||||||
|
names = self.names.keys()
|
||||||
|
names.sort()
|
||||||
|
return names
|
||||||
|
|
||||||
|
def get_name(self, name):
|
||||||
|
return self.names.get(name)
|
||||||
|
|
||||||
|
class SO_File:
|
||||||
|
def __init__(self, name=None, path=None):
|
||||||
|
self.name = name
|
||||||
|
self.path = path
|
||||||
|
self.rpm = None
|
||||||
|
|
||||||
|
def __str__(self):
|
||||||
|
if self.rpm:
|
||||||
|
rpm_name = self.rpm.name
|
||||||
|
else:
|
||||||
|
rpm_name = None
|
||||||
|
return "name=%s rpm=%s" % (self.name, rpm_name)
|
||||||
|
|
||||||
|
class SO_Collection:
|
||||||
|
def __init__(self):
|
||||||
|
self.names = {}
|
||||||
|
self.paths = {}
|
||||||
|
|
||||||
|
def __str__(self):
|
||||||
|
text = ''
|
||||||
|
names = self.get_names()
|
||||||
|
for name in names:
|
||||||
|
text += "%s: %s\n" % (name, self.names[name])
|
||||||
|
return text
|
||||||
|
|
||||||
|
def register_path(self, path, name=None):
|
||||||
|
if debug: print "%s.register_path: path=%s" % (self.__class__.__name__, path)
|
||||||
|
so_prop = self.paths.get(path)
|
||||||
|
if not so_prop:
|
||||||
|
so_prop = self.paths.setdefault(path, SO_File(name, path=path))
|
||||||
|
self.names.setdefault(name, so_prop)
|
||||||
|
return so_prop
|
||||||
|
|
||||||
|
def get_names(self):
|
||||||
|
names = self.names.keys()
|
||||||
|
names.sort()
|
||||||
|
return names
|
||||||
|
|
||||||
|
class LoadableModule:
|
||||||
|
def __init__(self, path, name=None):
|
||||||
|
if name is None:
|
||||||
|
name = os.path.basename(path)
|
||||||
|
self.name = name
|
||||||
|
self.path = path
|
||||||
|
self.rpm_names = {}
|
||||||
|
self.sos = SO_Collection()
|
||||||
|
self.get_so_requires()
|
||||||
|
|
||||||
|
def __str__(self):
|
||||||
|
text = '%s\n' % (self.name)
|
||||||
|
text += " RPM's: %s\n" % (','.join(self.get_rpm_names()))
|
||||||
|
text += " SO's: %s\n" % (','.join(self.sos.get_names()))
|
||||||
|
return text
|
||||||
|
|
||||||
|
def get_so_requires(self):
|
||||||
|
requires = get_so_requires(self.path)
|
||||||
|
needed = get_so_needed(self.path)
|
||||||
|
#print "%s requires=%s" % (self.name, requires)
|
||||||
|
#print "%s needed=%s" % (self.name, needed)
|
||||||
|
|
||||||
|
for so_name, so_path in requires.items():
|
||||||
|
if so_name not in needed: continue
|
||||||
|
if so_path:
|
||||||
|
so_prop = self.sos.register_path(so_path, so_name)
|
||||||
|
rpm_prop = rpms.register_path(so_prop.path)
|
||||||
|
rpm_prop.used_by[self.name] = 1
|
||||||
|
self.rpm_names.setdefault(rpm_prop.name, rpm_prop.name)
|
||||||
|
so_prop.rpm = rpm_prop
|
||||||
|
else:
|
||||||
|
so_prop = None
|
||||||
|
if verbose: print "found so='%s' %s" % (so_name, so_prop)
|
||||||
|
|
||||||
|
def register_so(self, so):
|
||||||
|
if debug: print "%s.register_so: so=%s" % (self.__class__.__name__, so)
|
||||||
|
self.sos.setdefault(so, so)
|
||||||
|
self.names.setdefault(so.name, so)
|
||||||
|
return so
|
||||||
|
|
||||||
|
def get_rpm_names(self):
|
||||||
|
rpm_names = self.rpm_names.keys()
|
||||||
|
rpm_names.sort()
|
||||||
|
return rpm_names
|
||||||
|
|
||||||
|
def get_sos(self):
|
||||||
|
sos = self.sos.keys()
|
||||||
|
sos.sort(lambda a,b: cmp(a.name, b.name))
|
||||||
|
return sos
|
||||||
|
|
||||||
|
#------------------------------------------------------------------------------
|
||||||
|
|
||||||
|
#------------------------------------------------------------------------------
|
||||||
|
|
||||||
|
opts, args = getopt.getopt(sys.argv[1:], "b:v", ['build=','verbose'])
|
||||||
|
for o, a in opts:
|
||||||
|
if o in ['-b', '--build']:
|
||||||
|
build = a
|
||||||
|
elif o in ['-v', '--verbose']:
|
||||||
|
verbose = True
|
||||||
|
else:
|
||||||
|
print >> sys.stderr, "Unknown arg: %s" % o
|
||||||
|
sys.exit(1)
|
||||||
|
|
||||||
|
root = root_template % build
|
||||||
|
modules = get_rlms(root)
|
||||||
|
module_paths = [os.path.join(root,x) for x in modules]
|
||||||
|
rpms = RPM_Collection()
|
||||||
|
|
||||||
|
lms = []
|
||||||
|
for module_path in module_paths[:]:
|
||||||
|
lm = LoadableModule(module_path)
|
||||||
|
lms.append(lm)
|
||||||
|
|
||||||
|
|
||||||
|
print "RLM Modules(%s): %s\n" % (len(modules), ','.join(modules))
|
||||||
|
|
||||||
|
for lm in lms:
|
||||||
|
rpm_names = [x for x in lm.get_rpm_names() if x not in exclude_rpms]
|
||||||
|
if rpm_names:
|
||||||
|
print lm.name
|
||||||
|
print ' %s' % (','.join(rpm_names))
|
||||||
|
|
||||||
|
print "--------------"
|
||||||
|
|
||||||
|
rpm_props = [x for x in rpms.names.values() if len(x.used_by) and x.name not in exclude_rpms]
|
||||||
|
rpm_props.sort(lambda a,b: cmp(a.name, b.name))
|
||||||
|
for rpm_prop in rpm_props:
|
||||||
|
used_by = rpm_prop.used_by.keys()
|
||||||
|
used_by.sort()
|
||||||
|
print "%s: %s" % (rpm_prop.name, ','.join(used_by))
|
||||||
|
|
||||||
|
print "--------------"
|
||||||
|
|
||||||
|
rpm_props.sort(lambda a,b: cmp(a.size, b.size))
|
||||||
|
for rpm_prop in rpm_props:
|
||||||
|
print '%10s %s' % (format_size(rpm_prop.size), rpm_prop.name)
|
||||||
|
|
||||||
|
|
||||||
|
print "--------------"
|
||||||
|
|
||||||
|
for lm in lms:
|
||||||
|
print lm
|
97
freeradius-Add-missing-option-descriptions.patch
Normal file
97
freeradius-Add-missing-option-descriptions.patch
Normal file
@ -0,0 +1,97 @@
|
|||||||
|
From afb196b29606aafb5030e8c7ea414a4bd494cbc0 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
|
||||||
|
Date: Fri, 14 Sep 2018 12:20:11 +0300
|
||||||
|
Subject: [PATCH] man: Add missing option descriptions
|
||||||
|
|
||||||
|
---
|
||||||
|
man/man8/raddebug.8 | 4 ++++
|
||||||
|
man/man8/radiusd.8 | 7 +++++++
|
||||||
|
man/man8/radmin.8 | 4 ++++
|
||||||
|
3 files changed, 15 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/man/man8/raddebug.8 b/man/man8/raddebug.8
|
||||||
|
index 66e80e64fa..6e27e2453c 100644
|
||||||
|
--- a/man/man8/raddebug.8
|
||||||
|
+++ b/man/man8/raddebug.8
|
||||||
|
@@ -7,6 +7,8 @@ raddebug - Display debugging output from a running server.
|
||||||
|
.IR condition ]
|
||||||
|
.RB [ \-d
|
||||||
|
.IR config_directory ]
|
||||||
|
+.RB [ \-D
|
||||||
|
+.IR dictionary_directory ]
|
||||||
|
.RB [ \-n
|
||||||
|
.IR name ]
|
||||||
|
.RB [ \-i
|
||||||
|
@@ -73,6 +75,8 @@ option is equivalent to using:
|
||||||
|
.IP "\-d \fIconfig directory\fP"
|
||||||
|
The radius configuration directory, usually /etc/raddb. See the
|
||||||
|
\fIradmin\fP manual page for more description of this option.
|
||||||
|
+.IP "\-D \fIdictionary directory\fP"
|
||||||
|
+Set main dictionary directory. Defaults to \fI/usr/share/freeradius\fP.
|
||||||
|
.IP "\-n \fImname\fP"
|
||||||
|
Read \fIraddb/name.conf\fP instead of \fIraddb/radiusd.conf\fP.
|
||||||
|
.IP \-I\ \fIipv6-address\fP
|
||||||
|
diff --git a/man/man8/radiusd.8 b/man/man8/radiusd.8
|
||||||
|
index c825f22d0d..98aef5e1be 100644
|
||||||
|
--- a/man/man8/radiusd.8
|
||||||
|
+++ b/man/man8/radiusd.8
|
||||||
|
@@ -6,6 +6,8 @@ radiusd - Authentication, Authorization and Accounting server
|
||||||
|
.RB [ \-C ]
|
||||||
|
.RB [ \-d
|
||||||
|
.IR config_directory ]
|
||||||
|
+.RB [ \-D
|
||||||
|
+.IR dictionary_directory ]
|
||||||
|
.RB [ \-f ]
|
||||||
|
.RB [ \-h ]
|
||||||
|
.RB [ \-i
|
||||||
|
@@ -17,6 +19,7 @@ radiusd - Authentication, Authorization and Accounting server
|
||||||
|
.IR name ]
|
||||||
|
.RB [ \-p
|
||||||
|
.IR port ]
|
||||||
|
+.RB [ \-P ]
|
||||||
|
.RB [ \-s ]
|
||||||
|
.RB [ \-t ]
|
||||||
|
.RB [ \-v ]
|
||||||
|
@@ -55,6 +58,8 @@ configuration, and which modules are skipped, and therefore not checked.
|
||||||
|
.IP "\-d \fIconfig directory\fP"
|
||||||
|
Defaults to \fI/etc/raddb\fP. \fBRadiusd\fP looks here for its configuration
|
||||||
|
files such as the \fIdictionary\fP and the \fIusers\fP files.
|
||||||
|
+.IP "\-D \fIdictionary directory\fP"
|
||||||
|
+Set main dictionary directory. Defaults to \fI/usr/share/freeradius\fP.
|
||||||
|
.IP \-f
|
||||||
|
Do not fork, stay running as a foreground process.
|
||||||
|
.IP \-h
|
||||||
|
@@ -84,6 +89,8 @@ When this command-line option is given, all "listen" sections in
|
||||||
|
\fIradiusd.conf\fP are ignored.
|
||||||
|
|
||||||
|
This option MUST be used in conjunction with "-i".
|
||||||
|
+.IP "\-P
|
||||||
|
+Always write out PID, even with -f.
|
||||||
|
.IP \-s
|
||||||
|
Run in "single server" mode. The server normally runs with multiple
|
||||||
|
threads and/or processes, which can lower its response time to
|
||||||
|
diff --git a/man/man8/radmin.8 b/man/man8/radmin.8
|
||||||
|
index 5ecc963d81..5bf661fa71 100644
|
||||||
|
--- a/man/man8/radmin.8
|
||||||
|
+++ b/man/man8/radmin.8
|
||||||
|
@@ -5,6 +5,8 @@ radmin - FreeRADIUS Administration tool
|
||||||
|
.B radmin
|
||||||
|
.RB [ \-d
|
||||||
|
.IR config_directory ]
|
||||||
|
+.RB [ \-D
|
||||||
|
+.IR dictionary_directory ]
|
||||||
|
.RB [ \-e
|
||||||
|
.IR command ]
|
||||||
|
.RB [ \-E ]
|
||||||
|
@@ -34,6 +36,8 @@ The following command-line options are accepted by the program.
|
||||||
|
Defaults to \fI/etc/raddb\fP. \fBradmin\fP looks here for the server
|
||||||
|
configuration files to find the "listen" section that defines the
|
||||||
|
control socket filename.
|
||||||
|
+.IP "\-D \fIdictionary directory\fP"
|
||||||
|
+Set main dictionary directory. Defaults to \fI/usr/share/freeradius\fP.
|
||||||
|
.IP "\-e \fIcommand\fP"
|
||||||
|
Run \fIcommand\fP and exit.
|
||||||
|
.IP \-E
|
||||||
|
--
|
||||||
|
2.18.0
|
||||||
|
|
File diff suppressed because it is too large
Load Diff
45
freeradius-EAP-PWD-curve-handling.patch
Normal file
45
freeradius-EAP-PWD-curve-handling.patch
Normal file
@ -0,0 +1,45 @@
|
|||||||
|
diff --git a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
|
||||||
|
index 7f91e4b230..848ca2055e 100644
|
||||||
|
--- a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
|
||||||
|
+++ b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
|
||||||
|
@@ -373,11 +373,26 @@ int process_peer_commit (pwd_session_t *session, uint8_t *in, size_t in_len, BN_
|
||||||
|
data_len = BN_num_bytes(session->order);
|
||||||
|
BN_bin2bn(ptr, data_len, session->peer_scalar);
|
||||||
|
|
||||||
|
+ /* validate received scalar */
|
||||||
|
+ if (BN_is_zero(session->peer_scalar) ||
|
||||||
|
+ BN_is_one(session->peer_scalar) ||
|
||||||
|
+ BN_cmp(session->peer_scalar, session->order) >= 0) {
|
||||||
|
+ ERROR("Peer's scalar is not within the allowed range");
|
||||||
|
+ goto finish;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
if (!EC_POINT_set_affine_coordinates_GFp(session->group, session->peer_element, x, y, bnctx)) {
|
||||||
|
DEBUG2("pwd: unable to get coordinates of peer's element");
|
||||||
|
goto finish;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ /* validate received element */
|
||||||
|
+ if (!EC_POINT_is_on_curve(session->group, session->peer_element, bnctx) ||
|
||||||
|
+ EC_POINT_is_at_infinity(session->group, session->peer_element)) {
|
||||||
|
+ ERROR("Peer's element is not a point on the elliptic curve");
|
||||||
|
+ goto finish;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
/* check to ensure peer's element is not in a small sub-group */
|
||||||
|
if (BN_cmp(cofactor, BN_value_one())) {
|
||||||
|
if (!EC_POINT_mul(session->group, point, NULL, session->peer_element, cofactor, NULL)) {
|
||||||
|
@@ -391,6 +406,13 @@ int process_peer_commit (pwd_session_t *session, uint8_t *in, size_t in_len, BN_
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
+ /* detect reflection attacks */
|
||||||
|
+ if (BN_cmp(session->peer_scalar, session->my_scalar) == 0 ||
|
||||||
|
+ EC_POINT_cmp(session->group, session->peer_element, session->my_element, bnctx) == 0) {
|
||||||
|
+ ERROR("Reflection attack detected");
|
||||||
|
+ goto finish;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
/* compute the shared key, k */
|
||||||
|
if ((!EC_POINT_mul(session->group, K, NULL, session->pwe, session->peer_scalar, bnctx)) ||
|
||||||
|
(!EC_POINT_add(session->group, K, K, session->peer_element, bnctx)) ||
|
38
freeradius-EAP-PWD-information-leak-10-iterations.patch
Normal file
38
freeradius-EAP-PWD-information-leak-10-iterations.patch
Normal file
@ -0,0 +1,38 @@
|
|||||||
|
From 3ea2a5a026e73d81cd9a3e9bbd4300c433004bfa Mon Sep 17 00:00:00 2001
|
||||||
|
From: Mathy Vanhoef <mathy.vanhoef@nyu.edu>
|
||||||
|
Date: Wed, 5 Jun 2019 19:21:06 +0000
|
||||||
|
Subject: [PATCH] EAP-pwd: fix side-channel leak where 1 in 2018 handshakes
|
||||||
|
fail
|
||||||
|
|
||||||
|
Previously the Hunting and Pecking algorithm of EAP-pwd aborted when
|
||||||
|
more than 10 iterations are needed. Every iteration has a 50% chance
|
||||||
|
of finding the password element. This means one in every 2048 handshakes
|
||||||
|
will fail, in which case an error frame is sent to the client. This
|
||||||
|
event leaks information that can be abused in an offline password
|
||||||
|
brute-force attack. More precisely, the adversary learns that all 10
|
||||||
|
iterations failed for the given random EAP-pwd token. Using the same
|
||||||
|
techniques as in the Dragonblood attack, this can be used to brute-force
|
||||||
|
the password.
|
||||||
|
|
||||||
|
This patch fixes the above issue by executing enough iterations such that
|
||||||
|
the password element is always found eventually.
|
||||||
|
|
||||||
|
Note that timing and cache leaks remain a risk against the current
|
||||||
|
implementation of EAP-pwd.
|
||||||
|
---
|
||||||
|
src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
|
||||||
|
index c54f08c030..d94851c3aa 100644
|
||||||
|
--- a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
|
||||||
|
+++ b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
|
||||||
|
@@ -192,7 +192,7 @@ int compute_password_element (pwd_session_t *session, uint16_t grp_num,
|
||||||
|
}
|
||||||
|
ctr = 0;
|
||||||
|
while (1) {
|
||||||
|
- if (ctr > 10) {
|
||||||
|
+ if (ctr > 100) {
|
||||||
|
DEBUG("unable to find random point on curve for group %d, something's fishy", grp_num);
|
||||||
|
goto fail;
|
||||||
|
}
|
68
freeradius-OpenSSL-HMAC-MD5.patch
Normal file
68
freeradius-OpenSSL-HMAC-MD5.patch
Normal file
@ -0,0 +1,68 @@
|
|||||||
|
From b93796b1890b35a0922bfba9cd08e8a1a5f956cf Mon Sep 17 00:00:00 2001
|
||||||
|
From: Alexander Scheel <ascheel@redhat.com>
|
||||||
|
Date: Fri, 28 Sep 2018 09:54:46 -0400
|
||||||
|
Subject: [PATCH 1/2] Replace HMAC-MD5 implementation with OpenSSL's
|
||||||
|
|
||||||
|
If OpenSSL EVP is not found, fallback to internal implementation of
|
||||||
|
HMAC-MD5.
|
||||||
|
|
||||||
|
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
|
||||||
|
---
|
||||||
|
src/lib/hmacmd5.c | 34 +++++++++++++++++++++++++++++++++-
|
||||||
|
1 file changed, 33 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/src/lib/hmacmd5.c b/src/lib/hmacmd5.c
|
||||||
|
index 2c662ff368..1cca00fa2a 100644
|
||||||
|
--- a/src/lib/hmacmd5.c
|
||||||
|
+++ b/src/lib/hmacmd5.c
|
||||||
|
@@ -27,10 +27,41 @@
|
||||||
|
|
||||||
|
RCSID("$Id: 2c662ff368e46556edd2cfdf408bd0fca0ab5f18 $")
|
||||||
|
|
||||||
|
+#ifdef HAVE_OPENSSL_EVP_H
|
||||||
|
+#include <openssl/hmac.h>
|
||||||
|
+#include <openssl/evp.h>
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
#include <freeradius-devel/libradius.h>
|
||||||
|
#include <freeradius-devel/md5.h>
|
||||||
|
|
||||||
|
-/** Calculate HMAC using MD5
|
||||||
|
+#ifdef HAVE_OPENSSL_EVP_H
|
||||||
|
+/** Calculate HMAC using OpenSSL's MD5 implementation
|
||||||
|
+ *
|
||||||
|
+ * @param digest Caller digest to be filled in.
|
||||||
|
+ * @param text Pointer to data stream.
|
||||||
|
+ * @param text_len length of data stream.
|
||||||
|
+ * @param key Pointer to authentication key.
|
||||||
|
+ * @param key_len Length of authentication key.
|
||||||
|
+ *
|
||||||
|
+ */
|
||||||
|
+void fr_hmac_md5(uint8_t digest[MD5_DIGEST_LENGTH], uint8_t const *text, size_t text_len,
|
||||||
|
+ uint8_t const *key, size_t key_len)
|
||||||
|
+{
|
||||||
|
+ HMAC_CTX *ctx = HMAC_CTX_new();
|
||||||
|
+
|
||||||
|
+#ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW
|
||||||
|
+ /* Since MD5 is not allowed by FIPS, explicitly allow it. */
|
||||||
|
+ HMAC_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
|
||||||
|
+#endif /* EVP_MD_CTX_FLAG_NON_FIPS_ALLOW */
|
||||||
|
+
|
||||||
|
+ HMAC_Init_ex(ctx, key, key_len, EVP_md5(), NULL);
|
||||||
|
+ HMAC_Update(ctx, text, text_len);
|
||||||
|
+ HMAC_Final(ctx, digest, NULL);
|
||||||
|
+ HMAC_CTX_free(ctx);
|
||||||
|
+}
|
||||||
|
+#else
|
||||||
|
+/** Calculate HMAC using internal MD5 implementation
|
||||||
|
*
|
||||||
|
* @param digest Caller digest to be filled in.
|
||||||
|
* @param text Pointer to data stream.
|
||||||
|
@@ -101,6 +132,7 @@
|
||||||
|
* hash */
|
||||||
|
fr_md5_final(digest, &context); /* finish up 2nd pass */
|
||||||
|
}
|
||||||
|
+#endif /* HAVE_OPENSSL_EVP_H */
|
||||||
|
|
||||||
|
/*
|
||||||
|
Test Vectors (Trailing '\0' of a character string not included in test):
|
73
freeradius-OpenSSL-HMAC-SHA1.patch
Normal file
73
freeradius-OpenSSL-HMAC-SHA1.patch
Normal file
@ -0,0 +1,73 @@
|
|||||||
|
From 91f663ce1b46ecd99399023ad539f158419272e7 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Alexander Scheel <ascheel@redhat.com>
|
||||||
|
Date: Fri, 28 Sep 2018 11:03:52 -0400
|
||||||
|
Subject: [PATCH 2/2] Replace HMAC-SHA1 implementation with OpenSSL's
|
||||||
|
|
||||||
|
If OpenSSL EVP is not found, fallback to internal implementation of
|
||||||
|
HMAC-SHA1.
|
||||||
|
|
||||||
|
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
|
||||||
|
---
|
||||||
|
src/lib/hmacsha1.c | 29 ++++++++++++++++++++++++++++-
|
||||||
|
1 file changed, 28 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/src/lib/hmacsha1.c b/src/lib/hmacsha1.c
|
||||||
|
index c3cbd87a2c..211470ea35 100644
|
||||||
|
--- a/src/lib/hmacsha1.c
|
||||||
|
+++ b/src/lib/hmacsha1.c
|
||||||
|
@@ -10,13 +10,19 @@
|
||||||
|
|
||||||
|
RCSID("$Id: c3cbd87a2c13c47da93fdb1bdfbf6da4c22aaac5 $")
|
||||||
|
|
||||||
|
+#ifdef HAVE_OPENSSL_EVP_H
|
||||||
|
+#include <openssl/hmac.h>
|
||||||
|
+#include <openssl/evp.h>
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
#include <freeradius-devel/libradius.h>
|
||||||
|
|
||||||
|
#ifdef HMAC_SHA1_DATA_PROBLEMS
|
||||||
|
unsigned int sha1_data_problems = 0;
|
||||||
|
#endif
|
||||||
|
|
||||||
|
-/** Calculate HMAC using SHA1
|
||||||
|
+#ifdef HAVE_OPENSSL_EVP_H
|
||||||
|
+/** Calculate HMAC using OpenSSL's SHA1 implementation
|
||||||
|
*
|
||||||
|
* @param digest Caller digest to be filled in.
|
||||||
|
* @param text Pointer to data stream.
|
||||||
|
@@ -28,6 +34,26 @@
|
||||||
|
void fr_hmac_sha1(uint8_t digest[SHA1_DIGEST_LENGTH], uint8_t const *text, size_t text_len,
|
||||||
|
uint8_t const *key, size_t key_len)
|
||||||
|
{
|
||||||
|
+ HMAC_CTX *ctx = HMAC_CTX_new();
|
||||||
|
+ HMAC_Init_ex(ctx, key, key_len, EVP_sha1(), NULL);
|
||||||
|
+ HMAC_Update(ctx, text, text_len);
|
||||||
|
+ HMAC_Final(ctx, digest, NULL);
|
||||||
|
+ HMAC_CTX_free(ctx);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+#else
|
||||||
|
+
|
||||||
|
+/** Calculate HMAC using internal SHA1 implementation
|
||||||
|
+ *
|
||||||
|
+ * @param digest Caller digest to be filled in.
|
||||||
|
+ * @param text Pointer to data stream.
|
||||||
|
+ * @param text_len length of data stream.
|
||||||
|
+ * @param key Pointer to authentication key.
|
||||||
|
+ * @param key_len Length of authentication key.
|
||||||
|
+ */
|
||||||
|
+void fr_hmac_sha1(uint8_t digest[SHA1_DIGEST_LENGTH], uint8_t const *text, size_t text_len,
|
||||||
|
+ uint8_t const *key, size_t key_len)
|
||||||
|
+{
|
||||||
|
fr_sha1_ctx context;
|
||||||
|
uint8_t k_ipad[65]; /* inner padding - key XORd with ipad */
|
||||||
|
uint8_t k_opad[65]; /* outer padding - key XORd with opad */
|
||||||
|
@@ -142,6 +168,7 @@
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
}
|
||||||
|
+#endif /* HAVE_OPENSSL_EVP_H */
|
||||||
|
|
||||||
|
/*
|
||||||
|
Test Vectors (Trailing '\0' of a character string not included in test):
|
21
freeradius-autogen.sh
Normal file
21
freeradius-autogen.sh
Normal file
@ -0,0 +1,21 @@
|
|||||||
|
#!/bin/sh -e
|
||||||
|
|
||||||
|
parentdir=`dirname $0`
|
||||||
|
|
||||||
|
cd $parentdir
|
||||||
|
parentdir=`pwd`
|
||||||
|
|
||||||
|
libtoolize -f -c
|
||||||
|
#aclocal
|
||||||
|
autoheader
|
||||||
|
autoconf
|
||||||
|
|
||||||
|
mysubdirs="$mysubdirs `find src/modules/ -name configure -print | sed 's%/configure%%'`"
|
||||||
|
mysubdirs=`echo $mysubdirs`
|
||||||
|
|
||||||
|
for F in $mysubdirs
|
||||||
|
do
|
||||||
|
echo "Configuring in $F..."
|
||||||
|
(cd $F && grep "^AC_CONFIG_HEADER" configure.in > /dev/null && autoheader -I$parentdir)
|
||||||
|
(cd $F && autoconf -I$parentdir)
|
||||||
|
done
|
@ -1,136 +0,0 @@
|
|||||||
From e089777942552c4fe3e58aa328566e7bb745dbf8 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Antonio Torres <antorres@redhat.com>
|
|
||||||
Date: Fri, 22 Apr 2022 12:27:43 +0200
|
|
||||||
Subject: [PATCH] bootstrap: pass -noenc to certificate generation
|
|
||||||
|
|
||||||
Bootstrap script would fail to generate certificates if run on systems
|
|
||||||
with FIPS enabled. By passing the -noenc option, we can skip the usage
|
|
||||||
of unsupported algorithms on these systems.
|
|
||||||
|
|
||||||
After generating the certificates, correct permissions are set.
|
|
||||||
|
|
||||||
Signed-off-by: Antonio Torres <antorres@redhat.com>
|
|
||||||
|
|
||||||
[antorres@redhat.com]: patch adapted to work together with freeradius-bootstrap-create-only.patch.
|
|
||||||
In bootstrap diff, -f is changed to -e in conditionals.
|
|
||||||
---
|
|
||||||
raddb/certs/Makefile | 20 ++++++++++++++++----
|
|
||||||
raddb/certs/bootstrap | 6 +++---
|
|
||||||
2 files changed, 19 insertions(+), 7 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/raddb/certs/Makefile b/raddb/certs/Makefile
|
|
||||||
index 5cbfd467ce..cb10394ec3 100644
|
|
||||||
--- a/raddb/certs/Makefile
|
|
||||||
+++ b/raddb/certs/Makefile
|
|
||||||
@@ -60,6 +60,8 @@ passwords.mk: server.cnf ca.cnf client.cnf inner-server.cnf
|
|
||||||
######################################################################
|
|
||||||
dh:
|
|
||||||
$(OPENSSL) dhparam -out dh -2 $(DH_KEY_SIZE)
|
|
||||||
+ chown root:radiusd dh
|
|
||||||
+ chmod 640 dh
|
|
||||||
|
|
||||||
######################################################################
|
|
||||||
#
|
|
||||||
@@ -71,8 +73,10 @@ ca.key ca.pem: ca.cnf
|
|
||||||
@[ -f serial ] || $(MAKE) serial
|
|
||||||
$(OPENSSL) req -new -x509 -keyout ca.key -out ca.pem \
|
|
||||||
-days $(CA_DEFAULT_DAYS) -config ./ca.cnf \
|
|
||||||
- -passin pass:$(PASSWORD_CA) -passout pass:$(PASSWORD_CA)
|
|
||||||
+ -passin pass:$(PASSWORD_CA) -passout pass:$(PASSWORD_CA) -noenc
|
|
||||||
chmod g+r ca.key
|
|
||||||
+ chown root:radiusd ca.*
|
|
||||||
+ chmod 640 ca.*
|
|
||||||
|
|
||||||
ca.der: ca.pem
|
|
||||||
$(OPENSSL) x509 -inform PEM -outform DER -in ca.pem -out ca.der
|
|
||||||
@@ -81,6 +85,8 @@ ca.crl: ca.pem
|
|
||||||
$(OPENSSL) ca -gencrl -keyfile ca.key -cert ca.pem -config ./ca.cnf -out ca-crl.pem -key $(PASSWORD_CA)
|
|
||||||
$(OPENSSL) crl -in ca-crl.pem -outform der -out ca.crl
|
|
||||||
rm ca-crl.pem
|
|
||||||
+ chown root:radiusd ca.*
|
|
||||||
+ chmod 640 ca.*
|
|
||||||
|
|
||||||
######################################################################
|
|
||||||
#
|
|
||||||
@@ -88,7 +94,7 @@ ca.crl: ca.pem
|
|
||||||
#
|
|
||||||
######################################################################
|
|
||||||
server.csr server.key: server.cnf
|
|
||||||
- $(OPENSSL) req -new -out server.csr -keyout server.key -config ./server.cnf
|
|
||||||
+ $(OPENSSL) req -new -out server.csr -keyout server.key -config ./server.cnf -noenc
|
|
||||||
chmod g+r server.key
|
|
||||||
|
|
||||||
server.crt: server.csr ca.key ca.pem
|
|
||||||
@@ -101,6 +107,8 @@ server.p12: server.crt
|
|
||||||
server.pem: server.p12
|
|
||||||
$(OPENSSL) pkcs12 -in server.p12 -out server.pem -passin pass:$(PASSWORD_SERVER) -passout pass:$(PASSWORD_SERVER)
|
|
||||||
chmod g+r server.pem
|
|
||||||
+ chown root:radiusd server.*
|
|
||||||
+ chmod 640 server.*
|
|
||||||
|
|
||||||
.PHONY: server.vrfy
|
|
||||||
server.vrfy: ca.pem
|
|
||||||
@@ -113,7 +121,7 @@ server.vrfy: ca.pem
|
|
||||||
#
|
|
||||||
######################################################################
|
|
||||||
client.csr client.key: client.cnf
|
|
||||||
- $(OPENSSL) req -new -out client.csr -keyout client.key -config ./client.cnf
|
|
||||||
+ $(OPENSSL) req -new -out client.csr -keyout client.key -config ./client.cnf -noenc
|
|
||||||
chmod g+r client.key
|
|
||||||
|
|
||||||
client.crt: client.csr ca.pem ca.key
|
|
||||||
@@ -127,6 +135,8 @@ client.pem: client.p12
|
|
||||||
$(OPENSSL) pkcs12 -in client.p12 -out client.pem -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)
|
|
||||||
chmod g+r client.pem
|
|
||||||
cp client.pem $(USER_NAME).pem
|
|
||||||
+ chown root:radiusd client.*
|
|
||||||
+ chmod 640 client.*
|
|
||||||
|
|
||||||
.PHONY: client.vrfy
|
|
||||||
client.vrfy: ca.pem client.pem
|
|
||||||
@@ -139,7 +149,7 @@ client.vrfy: ca.pem client.pem
|
|
||||||
#
|
|
||||||
######################################################################
|
|
||||||
inner-server.csr inner-server.key: inner-server.cnf
|
|
||||||
- $(OPENSSL) req -new -out inner-server.csr -keyout inner-server.key -config ./inner-server.cnf
|
|
||||||
+ $(OPENSSL) req -new -out inner-server.csr -keyout inner-server.key -config ./inner-server.cnf -noenc
|
|
||||||
chmod g+r inner-server.key
|
|
||||||
|
|
||||||
inner-server.crt: inner-server.csr ca.key ca.pem
|
|
||||||
@@ -152,6 +162,8 @@ inner-server.p12: inner-server.crt
|
|
||||||
inner-server.pem: inner-server.p12
|
|
||||||
$(OPENSSL) pkcs12 -in inner-server.p12 -out inner-server.pem -passin pass:$(PASSWORD_INNER) -passout pass:$(PASSWORD_INNER)
|
|
||||||
chmod g+r inner-server.pem
|
|
||||||
+ chown root:radiusd inner-server.*
|
|
||||||
+ chmod 640 inner-server.*
|
|
||||||
|
|
||||||
.PHONY: inner-server.vrfy
|
|
||||||
inner-server.vrfy: ca.pem
|
|
||||||
diff --git a/raddb/certs/bootstrap b/raddb/certs/bootstrap
|
|
||||||
index 57de8cf0d7..c258ec45e0 100755
|
|
||||||
--- a/raddb/certs/bootstrap
|
|
||||||
+++ b/raddb/certs/bootstrap
|
|
||||||
@@ -41,12 +41,12 @@ if [ ! -f dh ]; then
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [ ! -e server.key ]; then
|
|
||||||
- openssl req -new -out server.csr -keyout server.key -config ./server.cnf || exit 1
|
|
||||||
+ openssl req -new -out server.csr -keyout server.key -config ./server.cnf -noenc || exit 1
|
|
||||||
chmod g+r server.key
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [ ! -e ca.key ]; then
|
|
||||||
- openssl req -new -x509 -keyout ca.key -out ca.pem -days `grep default_days ca.cnf | sed 's/.*=//;s/^ *//'` -config ./ca.cnf || exit 1
|
|
||||||
+ openssl req -new -x509 -keyout ca.key -out ca.pem -days `grep default_days ca.cnf | sed 's/.*=//;s/^ *//'` -config ./ca.cnf -noenc || exit 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [ ! -e index.txt ]; then
|
|
||||||
@@ -77,7 +77,7 @@ if [ ! -f ca.der ]; then
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [ ! -e client.key ]; then
|
|
||||||
- openssl req -new -out client.csr -keyout client.key -config ./client.cnf
|
|
||||||
+ openssl req -new -out client.csr -keyout client.key -config ./client.cnf -noenc
|
|
||||||
chmod g+r client.key
|
|
||||||
fi
|
|
||||||
|
|
@ -1,31 +0,0 @@
|
|||||||
From: Antonio Torres <antorres@redhat.com>
|
|
||||||
Date: Fri, 28 Jan 2022
|
|
||||||
Subject: Use infinite timeout when using LDAP+start-TLS
|
|
||||||
|
|
||||||
This will ensure that the TLS connection to the LDAP server will complete
|
|
||||||
before starting FreeRADIUS, as it forces libldap to use a blocking socket during
|
|
||||||
the process. Infinite timeout is the OpenLDAP default.
|
|
||||||
Avoids this: https://git.openldap.org/openldap/openldap/-/blob/87ffc60006298069a5a044b8e63dab27a61d3fdf/libraries/libldap/tls2.c#L1134
|
|
||||||
|
|
||||||
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1992551
|
|
||||||
Signed-off-by: Antonio Torres <antorres@redhat.com>
|
|
||||||
---
|
|
||||||
src/modules/rlm_ldap/ldap.c | 5 ++++-
|
|
||||||
1 file changed, 4 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/src/modules/rlm_ldap/ldap.c b/src/modules/rlm_ldap/ldap.c
|
|
||||||
index cf7a84e069..841bf888a1 100644
|
|
||||||
--- a/src/modules/rlm_ldap/ldap.c
|
|
||||||
+++ b/src/modules/rlm_ldap/ldap.c
|
|
||||||
@@ -1472,7 +1472,10 @@ void *mod_conn_create(TALLOC_CTX *ctx, void *instance)
|
|
||||||
}
|
|
||||||
|
|
||||||
#ifdef LDAP_OPT_NETWORK_TIMEOUT
|
|
||||||
- if (inst->net_timeout) {
|
|
||||||
+ bool using_tls = inst->start_tls ||
|
|
||||||
+ inst->port == 636 ||
|
|
||||||
+ strncmp(inst->server, "ldaps://", strlen("ldaps://")) == 0;
|
|
||||||
+ if (inst->net_timeout && !using_tls) {
|
|
||||||
memset(&tv, 0, sizeof(tv));
|
|
||||||
tv.tv_sec = inst->net_timeout;
|
|
||||||
|
|
42
freeradius-listen-ipv6-fix.patch
Normal file
42
freeradius-listen-ipv6-fix.patch
Normal file
@ -0,0 +1,42 @@
|
|||||||
|
From 98510efd0e2930d8924b47009945a0fb1bd75a29 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Alexander Scheel <ascheel@redhat.com>
|
||||||
|
Date: Mon, 22 Apr 2019 14:38:19 -0400
|
||||||
|
Subject: [PATCH] Allow listen.ipaddr to reference an IPv6-only host
|
||||||
|
|
||||||
|
In 5452b13cefa3b30f1da467ff5d68b3c1aa471188, these lines were added
|
||||||
|
which effectively result in a listen.ipaddr only allowing hostnames to
|
||||||
|
resolve to IPv4 addresses. With a hostname with only a IPv6 address,
|
||||||
|
it'll bail with the error message:
|
||||||
|
|
||||||
|
radiusd: #### Opening IP addresses and Ports ####
|
||||||
|
listen {
|
||||||
|
type = "auth"
|
||||||
|
Failed resolving "ipv6.cipherboy.com" to IPv4 address:
|
||||||
|
Name or service not known
|
||||||
|
|
||||||
|
This directly contradicts the language in the default configuration
|
||||||
|
file, so support resolving both IPv4-only and IPv6-only hostnames.
|
||||||
|
|
||||||
|
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
|
||||||
|
---
|
||||||
|
src/lib/misc.c | 7 -------
|
||||||
|
1 file changed, 7 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/lib/misc.c b/src/lib/misc.c
|
||||||
|
index dff21e33f7..5520d8a0a4 100644
|
||||||
|
--- a/src/lib/misc.c
|
||||||
|
+++ b/src/lib/misc.c
|
||||||
|
@@ -607,13 +607,6 @@ int fr_pton(fr_ipaddr_t *out, char const *value, ssize_t inlen, int af, bool res
|
||||||
|
fr_strerror_printf("Invalid address");
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
-
|
||||||
|
- /*
|
||||||
|
- * Fall through to resolving the address, using
|
||||||
|
- * whatever address family they prefer. If they
|
||||||
|
- * don't specify an address family, force IPv4.
|
||||||
|
- */
|
||||||
|
- if (af == AF_UNSPEC) af = AF_INET;
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
64
freeradius-python2-shebangs.patch
Normal file
64
freeradius-python2-shebangs.patch
Normal file
@ -0,0 +1,64 @@
|
|||||||
|
From b8a6ac05977845851f02151ca35c3a51e88bd534 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Alexander Scheel <ascheel@redhat.com>
|
||||||
|
Date: Thu, 18 Oct 2018 12:40:53 -0400
|
||||||
|
Subject: [PATCH] Clarify shebangs to be python2
|
||||||
|
|
||||||
|
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
|
||||||
|
---
|
||||||
|
scripts/radtee | 2 +-
|
||||||
|
src/modules/rlm_python/example.py | 2 +-
|
||||||
|
src/modules/rlm_python/prepaid.py | 2 +-
|
||||||
|
src/modules/rlm_python/radiusd.py | 2 +-
|
||||||
|
src/modules/rlm_python/radiusd_test.py | 2 +-
|
||||||
|
5 files changed, 5 insertions(+), 5 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/scripts/radtee b/scripts/radtee
|
||||||
|
index 123769d244..78b4bcbe0b 100755
|
||||||
|
--- a/scripts/radtee
|
||||||
|
+++ b/scripts/radtee
|
||||||
|
@@ -1,4 +1,4 @@
|
||||||
|
-#!/usr/bin/env python
|
||||||
|
+#!/usr/bin/env python2
|
||||||
|
from __future__ import with_statement
|
||||||
|
|
||||||
|
# RADIUS comparison tee v1.0
|
||||||
|
diff --git a/src/modules/rlm_python/example.py b/src/modules/rlm_python/example.py
|
||||||
|
index 5950a07678..eaf456e349 100644
|
||||||
|
--- a/src/modules/rlm_python/example.py
|
||||||
|
+++ b/src/modules/rlm_python/example.py
|
||||||
|
@@ -1,4 +1,4 @@
|
||||||
|
-#! /usr/bin/env python
|
||||||
|
+#! /usr/bin/env python2
|
||||||
|
#
|
||||||
|
# Python module example file
|
||||||
|
# Miguel A.L. Paraz <mparaz@mparaz.com>
|
||||||
|
diff --git a/src/modules/rlm_python/prepaid.py b/src/modules/rlm_python/prepaid.py
|
||||||
|
index c3cbf57b8f..3b1dc2e2e8 100644
|
||||||
|
--- a/src/modules/rlm_python/prepaid.py
|
||||||
|
+++ b/src/modules/rlm_python/prepaid.py
|
||||||
|
@@ -1,4 +1,4 @@
|
||||||
|
-#! /usr/bin/env python
|
||||||
|
+#! /usr/bin/env python2
|
||||||
|
#
|
||||||
|
# Example Python module for prepaid usage using MySQL
|
||||||
|
|
||||||
|
diff --git a/src/modules/rlm_python/radiusd.py b/src/modules/rlm_python/radiusd.py
|
||||||
|
index c535bb3caf..7129923994 100644
|
||||||
|
--- a/src/modules/rlm_python/radiusd.py
|
||||||
|
+++ b/src/modules/rlm_python/radiusd.py
|
||||||
|
@@ -1,4 +1,4 @@
|
||||||
|
-#! /usr/bin/env python
|
||||||
|
+#! /usr/bin/env python2
|
||||||
|
#
|
||||||
|
# Definitions for RADIUS programs
|
||||||
|
#
|
||||||
|
diff --git a/src/modules/rlm_python/radiusd_test.py b/src/modules/rlm_python/radiusd_test.py
|
||||||
|
index 13b7128b29..97b5b64f08 100644
|
||||||
|
--- a/src/modules/rlm_python/radiusd_test.py
|
||||||
|
+++ b/src/modules/rlm_python/radiusd_test.py
|
||||||
|
@@ -1,4 +1,4 @@
|
||||||
|
-#! /usr/bin/env python
|
||||||
|
+#! /usr/bin/env python2
|
||||||
|
#
|
||||||
|
# Python module test
|
||||||
|
# Miguel A.L. Paraz <mparaz@mparaz.com>
|
113
freeradius-radiusd-init
Normal file
113
freeradius-radiusd-init
Normal file
@ -0,0 +1,113 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
#
|
||||||
|
# radiusd Start/Stop the FreeRADIUS daemon
|
||||||
|
#
|
||||||
|
# chkconfig: - 88 10
|
||||||
|
# description: Extensible, configurable, high performance RADIUS server.
|
||||||
|
|
||||||
|
### BEGIN INIT INFO
|
||||||
|
# Provides: radiusd
|
||||||
|
# Required-Start: $network
|
||||||
|
# Required-Stop:
|
||||||
|
# Default-Start:
|
||||||
|
# Default-Stop:
|
||||||
|
# Should-Start: $time $syslog mysql ldap postgresql samba krb5-kdc
|
||||||
|
# Should-Stop:
|
||||||
|
# Short-Description: FreeRADIUS server
|
||||||
|
# Description: Extensible, configurable, high performance RADIUS server.
|
||||||
|
### END INIT INFO
|
||||||
|
|
||||||
|
# Source function library.
|
||||||
|
. /etc/rc.d/init.d/functions
|
||||||
|
|
||||||
|
prog=radiusd
|
||||||
|
|
||||||
|
[ -e /etc/sysconfig/$prog ] && . /etc/sysconfig/$prog
|
||||||
|
|
||||||
|
exec=${exec:=/usr/sbin/$prog}
|
||||||
|
config_dir=${config_dir:=/etc/raddb}
|
||||||
|
config=${config:=$config_dir/radiusd.conf}
|
||||||
|
pidfile=${pidfile:=/var/run/$prog/$prog.pid}
|
||||||
|
lockfile=${lockfile:=/var/lock/subsys/radiusd}
|
||||||
|
|
||||||
|
start() {
|
||||||
|
[ -x $exec ] || exit 5
|
||||||
|
[ -f $config ] || exit 6
|
||||||
|
echo -n $"Starting $prog: "
|
||||||
|
daemon --pidfile $pidfile $exec -d $config_dir
|
||||||
|
retval=$?
|
||||||
|
echo
|
||||||
|
[ $retval -eq 0 ] && touch $lockfile
|
||||||
|
return $retval
|
||||||
|
}
|
||||||
|
|
||||||
|
stop() {
|
||||||
|
echo -n $"Stopping $prog: "
|
||||||
|
killproc -p $pidfile $prog
|
||||||
|
retval=$?
|
||||||
|
echo
|
||||||
|
[ $retval -eq 0 ] && rm -f $lockfile
|
||||||
|
return $retval
|
||||||
|
}
|
||||||
|
|
||||||
|
restart() {
|
||||||
|
stop
|
||||||
|
start
|
||||||
|
}
|
||||||
|
|
||||||
|
reload() {
|
||||||
|
# radiusd may not be capable of a 100% configuration reload depending
|
||||||
|
# on which loadable modules are in use, if sending the server a
|
||||||
|
# HUP is not sufficient then use restart here instead. However, we
|
||||||
|
# prefer by default to use HUP since it's what is usually desired.
|
||||||
|
#
|
||||||
|
# restart
|
||||||
|
|
||||||
|
kill -HUP `pidofproc -p $pidfile $prog`
|
||||||
|
}
|
||||||
|
|
||||||
|
force_reload() {
|
||||||
|
restart
|
||||||
|
}
|
||||||
|
|
||||||
|
rh_status() {
|
||||||
|
# run checks to determine if the service is running or use generic status
|
||||||
|
status -p $pidfile $prog
|
||||||
|
}
|
||||||
|
|
||||||
|
rh_status_q() {
|
||||||
|
rh_status >/dev/null 2>&1
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
case "$1" in
|
||||||
|
start)
|
||||||
|
rh_status_q && exit 0
|
||||||
|
$1
|
||||||
|
;;
|
||||||
|
stop)
|
||||||
|
rh_status_q || exit 0
|
||||||
|
$1
|
||||||
|
;;
|
||||||
|
restart)
|
||||||
|
$1
|
||||||
|
;;
|
||||||
|
reload)
|
||||||
|
rh_status_q || exit 7
|
||||||
|
$1
|
||||||
|
;;
|
||||||
|
force-reload)
|
||||||
|
force_reload
|
||||||
|
;;
|
||||||
|
status)
|
||||||
|
rh_status
|
||||||
|
;;
|
||||||
|
condrestart|try-restart)
|
||||||
|
rh_status_q || exit 0
|
||||||
|
restart
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload}"
|
||||||
|
exit 2
|
||||||
|
esac
|
||||||
|
exit $?
|
@ -1,3 +0,0 @@
|
|||||||
#Type Name ID GECOS Home directory Shell
|
|
||||||
u radiusd 95 "radiusd user" /var/lib/radiusd /sbin/nologin
|
|
||||||
g radiusd 95 - - -
|
|
@ -1,6 +1,6 @@
|
|||||||
--- !Policy
|
--- !Policy
|
||||||
product_versions:
|
product_versions:
|
||||||
- rhel-9
|
- rhel-8
|
||||||
decision_context: osci_compose_gate
|
decision_context: osci_compose_gate
|
||||||
rules:
|
rules:
|
||||||
- !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.functional}
|
- !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.functional}
|
||||||
|
@ -1,3 +1,6 @@
|
|||||||
---
|
---
|
||||||
inspections:
|
inspections:
|
||||||
badfuncs: off
|
badfuncs: off
|
||||||
|
runpath:
|
||||||
|
allowed_paths:
|
||||||
|
- /usr/lib64
|
||||||
|
@ -1,36 +0,0 @@
|
|||||||
# SPDX-License-Identifier: LGPL-2.1+
|
|
||||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
||||||
#
|
|
||||||
# Makefile of /CoreOS/freeradius
|
|
||||||
# Description: Test if freeradius authentication workd ok
|
|
||||||
# Author: Susant Sahani<susant@redhat.com>
|
|
||||||
#
|
|
||||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
||||||
export TEST=/CoreOS/freeradius
|
|
||||||
export TESTVERSION=1.0
|
|
||||||
BUILT_FILES=
|
|
||||||
FILES=$(METADATA) runtest.sh Makefile PURPOSE
|
|
||||||
.PHONY: all install download clean
|
|
||||||
run: $(FILES) build
|
|
||||||
./runtest.sh
|
|
||||||
build: $(BUILT_FILES)
|
|
||||||
test -x runtest.sh || chmod a+x runtest.sh
|
|
||||||
clean:
|
|
||||||
rm -f *~ $(BUILT_FILES)
|
|
||||||
include /usr/share/rhts/lib/rhts-make.include
|
|
||||||
$(METADATA): Makefile
|
|
||||||
@echo "Owner: Susant Sahani<susant@redhat.com>" > $(METADATA)
|
|
||||||
@echo "Name: $(TEST)" >> $(METADATA)
|
|
||||||
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
|
|
||||||
@echo "Path: $(TEST_DIR)" >> $(METADATA)
|
|
||||||
@echo "Description: Test if the ABI hasn't changed" >> $(METADATA)
|
|
||||||
@echo "Type: Sanity" >> $(METADATA)
|
|
||||||
@echo "TestTime: 5m" >> $(METADATA)
|
|
||||||
@echo "RunFor: freeradius" >> $(METADATA)
|
|
||||||
@echo "Requires: freeradius freeradius-utils python3 python3-psutil" >> $(METADATA)
|
|
||||||
@echo "Priority: Normal" >> $(METADATA)
|
|
||||||
@echo "License: GPLv2" >> $(METADATA)
|
|
||||||
@echo "Confidential: no" >> $(METADATA)
|
|
||||||
@echo "Destructive: no" >> $(METADATA)
|
|
||||||
@echo "Releases: -Fedora 28" >> $(METADATA)
|
|
||||||
rhts-lint $(METADATA)
|
|
@ -1,3 +0,0 @@
|
|||||||
PURPOSE of /CoreOS/freeradius
|
|
||||||
Description: tests for freeradius
|
|
||||||
Author: Susant Sahani<susant@redhat.com>
|
|
@ -1,2 +0,0 @@
|
|||||||
fedora-ci Cleartext-Password := "password"
|
|
||||||
Reply-Message = "Hello, %{User-Name}"
|
|
@ -1,6 +0,0 @@
|
|||||||
client localhost {
|
|
||||||
ipaddr = 127.0.0.1
|
|
||||||
secret = testing123
|
|
||||||
require_message_authenticator = no
|
|
||||||
nastype = other
|
|
||||||
}
|
|
@ -1,68 +0,0 @@
|
|||||||
#!/usr/bin/env python3
|
|
||||||
# SPDX-License-Identifier: LGPL-2.1+
|
|
||||||
# ~~~
|
|
||||||
# Description: Tests for freeradius
|
|
||||||
#
|
|
||||||
# Author: Susant Sahani <susant@redhat.com>
|
|
||||||
# Copyright (c) 2018 Red Hat, Inc.
|
|
||||||
# ~~~
|
|
||||||
|
|
||||||
import errno
|
|
||||||
import os
|
|
||||||
import sys
|
|
||||||
import time
|
|
||||||
import unittest
|
|
||||||
import subprocess
|
|
||||||
import signal
|
|
||||||
import shutil
|
|
||||||
import psutil
|
|
||||||
import socket
|
|
||||||
|
|
||||||
RADIUSD_PID_FILE='/var/run/radiusd/radiusd.pid'
|
|
||||||
|
|
||||||
def setUpModule():
|
|
||||||
"""Initialize the environment, and perform sanity checks on it."""
|
|
||||||
|
|
||||||
if shutil.which('radiusd') is None:
|
|
||||||
raise OSError(errno.ENOENT, 'radiusd not found')
|
|
||||||
|
|
||||||
if shutil.which('radtest') is None:
|
|
||||||
raise OSError(errno.ENOENT, 'radtest not found')
|
|
||||||
|
|
||||||
if subprocess.call(['systemctl', 'is-active', '--quiet',
|
|
||||||
'radiusd.service']) == 0:
|
|
||||||
raise unittest.SkipTest('radiusd.service is already active')
|
|
||||||
|
|
||||||
def tearDownModule():
|
|
||||||
pass
|
|
||||||
|
|
||||||
class GenericUtilities():
|
|
||||||
"""Provide a set of utility functions start stop daemons. write config files etc """
|
|
||||||
|
|
||||||
def StartRadiusServer(self):
|
|
||||||
"""Start radiusd"""
|
|
||||||
subprocess.check_output(['systemctl', 'start', 'radiusd'])
|
|
||||||
|
|
||||||
def StopRadiusServer(self):
|
|
||||||
"""stop radiusd"""
|
|
||||||
subprocess.check_output(['systemctl', 'stop', 'radiusd'])
|
|
||||||
|
|
||||||
class RadiousTests(unittest.TestCase, GenericUtilities):
|
|
||||||
|
|
||||||
def setUp(self):
|
|
||||||
self.StartRadiusServer()
|
|
||||||
|
|
||||||
def tearDown(self):
|
|
||||||
self.StopRadiusServer()
|
|
||||||
|
|
||||||
def test_radius_plaintext_auth(self):
|
|
||||||
time.sleep(1)
|
|
||||||
output=subprocess.check_output(['radtest', 'fedora-ci', 'password', '127.0.0.1', '100', 'testing123']).rstrip().decode('utf-8')
|
|
||||||
print(output)
|
|
||||||
|
|
||||||
self.assertRegex(output, "Received Access-Accept")
|
|
||||||
self.assertRegex(output, "Reply-Message = \"Hello, fedora-ci\"")
|
|
||||||
|
|
||||||
if __name__ == '__main__':
|
|
||||||
unittest.main(testRunner=unittest.TextTestRunner(stream=sys.stdout,
|
|
||||||
verbosity=3))
|
|
@ -1,70 +0,0 @@
|
|||||||
#!/bin/bash
|
|
||||||
# SPDX-License-Identifier: LGPL-2.1+
|
|
||||||
# ~~~
|
|
||||||
# runtest.sh of freeradius
|
|
||||||
# Description: RADIUS server
|
|
||||||
#
|
|
||||||
# Author: Susant Sahani <susant@redhat.com>
|
|
||||||
# Copyright (c) 2018 Red Hat, Inc.
|
|
||||||
# ~~~
|
|
||||||
|
|
||||||
# Include Beaker environment
|
|
||||||
. /usr/share/beakerlib/beakerlib.sh || exit 1
|
|
||||||
|
|
||||||
PACKAGE="freeradius"
|
|
||||||
|
|
||||||
RADIUS_CLIENT_CONF="/etc/raddb/clients.conf"
|
|
||||||
RADIUD_PALIN_TEXT_AUTH_FILE="/etc/raddb/mods-config/files/authorize"
|
|
||||||
|
|
||||||
generate_cert(){
|
|
||||||
pushd /etc/raddb/certs/
|
|
||||||
#remove certificates if exists;generate new certificates
|
|
||||||
if [[ -f /etc/raddb/certs/bootstrap ]]; then
|
|
||||||
rlLog "Destroy and create new default certificates via bootstrap script"
|
|
||||||
rm -f *.pem *.der *.csr *.crt *.key *.p12 serial* index.txt* dh
|
|
||||||
rlRun "sh /etc/raddb/certs/bootstrap" 0 "Gnenerating certificates"
|
|
||||||
else
|
|
||||||
rlLogWarning "!!! WARNING bootsrap file does not exist !!!"
|
|
||||||
rlLog "Destroy and create new default certificates via make scripts"
|
|
||||||
make destroycerts -C /etc/raddb/certs/
|
|
||||||
#create new certificates
|
|
||||||
make -C /etc/raddb/certs/
|
|
||||||
chown root:radiusd dh ca.* client.* server.*
|
|
||||||
chmod 640 dh ca.* client.* server.*
|
|
||||||
fi
|
|
||||||
popd
|
|
||||||
}
|
|
||||||
|
|
||||||
rlJournalStart
|
|
||||||
rlPhaseStartSetup
|
|
||||||
rlAssertRpm $PACKAGE
|
|
||||||
rlRun "systemctl stop firewalld" 0,5
|
|
||||||
rlRun "systemctl stop radiusd.service"
|
|
||||||
rlRun "setenforce 0"
|
|
||||||
rlFileBackup "$RADIUS_CLIENT_CONF"
|
|
||||||
rlFileBackup "$RADIUD_PALIN_TEXT_AUTH_FILE"
|
|
||||||
|
|
||||||
rlRun "cp freeradius-tests.py /usr/bin/"
|
|
||||||
rlRun "cp clients.conf $RADIUS_CLIENT_CONF"
|
|
||||||
rlRun "cp authorize $RADIUD_PALIN_TEXT_AUTH_FILE"
|
|
||||||
rlRun "systemctl daemon-reload"
|
|
||||||
#manually generate default certificates
|
|
||||||
generate_cert
|
|
||||||
rlPhaseEnd
|
|
||||||
|
|
||||||
rlPhaseStartTest
|
|
||||||
rlLog "Starting radius auth tests ..."
|
|
||||||
rlRun "/usr/bin/python3 /usr/bin/freeradius-tests.py"
|
|
||||||
rlPhaseEnd
|
|
||||||
|
|
||||||
rlPhaseStartCleanup
|
|
||||||
rlRun "rm /usr/bin/freeradius-tests.py"
|
|
||||||
rlRun "systemctl start firewalld" 0,5
|
|
||||||
rlRun "setenforce 1"
|
|
||||||
rlFileRestore
|
|
||||||
rlLog "freeradius tests done"
|
|
||||||
rlPhaseEnd
|
|
||||||
rlJournalPrintText
|
|
||||||
rlJournalEnd
|
|
||||||
|
|
||||||
rlGetTestState
|
|
@ -1,12 +0,0 @@
|
|||||||
- hosts: localhost
|
|
||||||
roles:
|
|
||||||
- role: standard-test-beakerlib
|
|
||||||
tags:
|
|
||||||
- classic
|
|
||||||
tests:
|
|
||||||
- auth-tests
|
|
||||||
required_packages:
|
|
||||||
- python3
|
|
||||||
- systemd
|
|
||||||
- freeradius
|
|
||||||
- freeradius-utils
|
|
Loading…
Reference in New Issue
Block a user