Add WITH_FIPS macro to CFLAGS
We need this flag added to CFLAGS in order for FreeRADIUS to run under a system in FIPS mode. Resolves: 2083699 Signed-off-by: Antonio Torres <antorres@redhat.com>
This commit is contained in:
Antonio Torres
parent
d83b583a42
commit
a9061bf663
|
|
@ -7,12 +7,9 @@ Related: rhbz#1978216
|
|||
Related: rhbz#2083699
|
||||
Signed-off-by: Antonio Torres <antorres@redhat.com>
|
||||
|
||||
[antorres@redhat.com]: commit 947d5d6bd2674a60f7320f0b721e4723243c2285 is backported
|
||||
manually to avoid issues when applying on top of 3.0.21 tag. Because of this, files configure
|
||||
and configure.ac only contain changes (adapted) from this commit, not other changes from upstream state.
|
||||
[antorres@redhat.com]: these changes include the macro WITH_FIPS, which allows FreeRADIUS
|
||||
to work on top of OpenSSL 3.0 when the system is in FIPS mode. We enable this macro on the specfile.
|
||||
---
|
||||
configure | 19 +
|
||||
configure.ac | 19 +
|
||||
share/dictionary.freeradius.internal | 54 +-
|
||||
src/include/build.h | 25 +-
|
||||
src/include/libradius.h | 23 +-
|
||||
|
|
@ -69,82 +66,8 @@ and configure.ac only contain changes (adapted) from this commit, not other chan
|
|||
src/modules/rlm_wimax/milenage.h | 128 ++
|
||||
src/modules/rlm_wimax/rlm_wimax.c | 429 ++++-
|
||||
src/tests/keywords/md4 | 58 +
|
||||
58 files changed, 5951 insertions(+), 1205 deletions(-)
|
||||
56 files changed, 5913 insertions(+), 1205 deletions(-)
|
||||
|
||||
diff --git a/configure b/configure
|
||||
index edf08649a0..5b58f76c97 100755
|
||||
--- a/configure
|
||||
+++ b/configure
|
||||
@@ -736,6 +736,7 @@ ac_subst_files=''
|
||||
ac_user_opts='
|
||||
enable_option_checking
|
||||
enable_developer
|
||||
+enable_fips_workaround
|
||||
enable_largefile
|
||||
enable_strict_dependencies
|
||||
enable_werror
|
||||
@@ -1406,6 +1407,7 @@ Optional Features:
|
||||
--disable-FEATURE do not include FEATURE (same as --enable-FEATURE=no)
|
||||
--enable-FEATURE[=ARG] include FEATURE [ARG=yes]
|
||||
--enable-developer enables features of interest to developers.
|
||||
+ --enable-fips-workaround enables local MD4, MD5, etc. functionality to avoid OpenSSL FIPS issues.
|
||||
--disable-largefile omit support for large files
|
||||
--enable-strict-dependencies fail configure on lack of module dependancy.
|
||||
--enable-werror causes the build to fail if any warnings are generated.
|
||||
@@ -2486,6 +2488,23 @@ if test "x$developer" = "xyes"; then
|
||||
: ${CFLAGS=-g3}
|
||||
fi
|
||||
|
||||
+# Check whether --enable-fips-workaround was given.
|
||||
+if test ${enable_fips_workaround+y}
|
||||
+then :
|
||||
+ enableval=$enable_fips_workaround; case "$enableval" in
|
||||
+ no)
|
||||
+ fips=""
|
||||
+ ;;
|
||||
+ *)
|
||||
+ fips="yes"
|
||||
+ esac
|
||||
+else $as_nop
|
||||
+ fips=""
|
||||
+fi
|
||||
+
|
||||
+if test "x$fips" = "xyes"; then
|
||||
+$as_echo "#define WITH_FIPS 1" >>confdefs.h
|
||||
+fi
|
||||
|
||||
ac_aux_dir=
|
||||
for ac_dir in "$srcdir" "$srcdir/.." "$srcdir/../.."; do
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index c72511ab39..10b7cc02c0 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -100,6 +100,25 @@ if test "x$developer" = "xyes"; then
|
||||
: ${CFLAGS=-g3}
|
||||
fi
|
||||
|
||||
+dnl #
|
||||
+dnl # Hard-code FIPS support/
|
||||
+dnl #
|
||||
+AC_ARG_ENABLE(fips-workaround,
|
||||
+[ --enable-fips-workaround enables local MD4, MD5, etc. functionality to avoid OpenSSL FIPS issues.],
|
||||
+[ case "$enableval" in
|
||||
+ no)
|
||||
+ fips=""
|
||||
+ ;;
|
||||
+ *)
|
||||
+ fips="yes"
|
||||
+ esac ],
|
||||
+[ fips="" ],
|
||||
+)
|
||||
+if test "x$fips" != "xyes"; then
|
||||
+ AC_DEFINE(WITH_FIPS, [1], [define if you want FIPS support])
|
||||
+fi
|
||||
+AC_SUBST(WITH_FIPS)
|
||||
+
|
||||
dnl #############################################################
|
||||
dnl #
|
||||
dnl # 0. Checks for compiler, libtool, and command line options.
|
||||
diff --git a/share/dictionary.freeradius.internal b/share/dictionary.freeradius.internal
|
||||
index 724e1f7ff6..347e3e59f3 100644
|
||||
--- a/share/dictionary.freeradius.internal
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
Summary: High-performance and highly configurable free RADIUS server
|
||||
Name: freeradius
|
||||
Version: 3.0.21
|
||||
Release: 31%{?dist}
|
||||
Release: 32%{?dist}
|
||||
License: GPLv2+ and LGPLv2+
|
||||
URL: http://www.freeradius.org/
|
||||
|
||||
|
|
@ -228,6 +228,9 @@ sed 's/rlm_python/rlm_python3/g' src/modules/stable -i
|
|||
export PY3_LIB_DIR="$(python3-config --configdir)"
|
||||
export PY3_INC_DIR="$(python3 -c 'import sysconfig; print(sysconfig.get_config_var("INCLUDEPY"))')"
|
||||
|
||||
# Enable FIPS support
|
||||
%global build_cflags %{build_cflags} -DWITH_FIPS
|
||||
|
||||
# In order for the above hack to stick, do a fake configure so
|
||||
# we can run reconfig before cleaning up after ourselves and running
|
||||
# configure for real.
|
||||
|
|
@ -237,7 +240,6 @@ export PY3_INC_DIR="$(python3 -c 'import sysconfig; print(sysconfig.get_config_v
|
|||
--libdir=%{_libdir}/freeradius \
|
||||
--enable-reproducible-builds \
|
||||
--disable-openssl-version-check \
|
||||
--enable-fips-workaround \
|
||||
--with-openssl \
|
||||
--with-udpfromto \
|
||||
--with-threads \
|
||||
|
|
@ -859,6 +861,10 @@ exit 0
|
|||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/rest
|
||||
|
||||
%changelog
|
||||
* Mon May 30 2022 Antonio Torres <antorres@redhat.com> - 3.0.21-32
|
||||
- Add WITH_FIPS macro to CFLAGS
|
||||
Related: rhbz#2083699
|
||||
|
||||
* Tue May 24 2022 Antonio Torres <antorres@redhat.com> - 3.0.21-31
|
||||
- Update OpenSSL 3.0 support backport to current v3.0.x branch state
|
||||
- Add "--enable-fips-workaround" to build options
|
||||
|
|
|
|||
Loading…
Reference in New Issue