diff --git a/freeradius-Backport-OpenSSL3-fixes.patch b/freeradius-Backport-OpenSSL3-fixes.patch index ff34b51..3632b82 100644 --- a/freeradius-Backport-OpenSSL3-fixes.patch +++ b/freeradius-Backport-OpenSSL3-fixes.patch @@ -7,12 +7,9 @@ Related: rhbz#1978216 Related: rhbz#2083699 Signed-off-by: Antonio Torres -[antorres@redhat.com]: commit 947d5d6bd2674a60f7320f0b721e4723243c2285 is backported -manually to avoid issues when applying on top of 3.0.21 tag. Because of this, files configure -and configure.ac only contain changes (adapted) from this commit, not other changes from upstream state. +[antorres@redhat.com]: these changes include the macro WITH_FIPS, which allows FreeRADIUS +to work on top of OpenSSL 3.0 when the system is in FIPS mode. We enable this macro on the specfile. --- - configure | 19 + - configure.ac | 19 + share/dictionary.freeradius.internal | 54 +- src/include/build.h | 25 +- src/include/libradius.h | 23 +- @@ -69,82 +66,8 @@ and configure.ac only contain changes (adapted) from this commit, not other chan src/modules/rlm_wimax/milenage.h | 128 ++ src/modules/rlm_wimax/rlm_wimax.c | 429 ++++- src/tests/keywords/md4 | 58 + - 58 files changed, 5951 insertions(+), 1205 deletions(-) + 56 files changed, 5913 insertions(+), 1205 deletions(-) -diff --git a/configure b/configure -index edf08649a0..5b58f76c97 100755 ---- a/configure -+++ b/configure -@@ -736,6 +736,7 @@ ac_subst_files='' - ac_user_opts=' - enable_option_checking - enable_developer -+enable_fips_workaround - enable_largefile - enable_strict_dependencies - enable_werror -@@ -1406,6 +1407,7 @@ Optional Features: - --disable-FEATURE do not include FEATURE (same as --enable-FEATURE=no) - --enable-FEATURE[=ARG] include FEATURE [ARG=yes] - --enable-developer enables features of interest to developers. -+ --enable-fips-workaround enables local MD4, MD5, etc. functionality to avoid OpenSSL FIPS issues. - --disable-largefile omit support for large files - --enable-strict-dependencies fail configure on lack of module dependancy. - --enable-werror causes the build to fail if any warnings are generated. -@@ -2486,6 +2488,23 @@ if test "x$developer" = "xyes"; then - : ${CFLAGS=-g3} - fi - -+# Check whether --enable-fips-workaround was given. -+if test ${enable_fips_workaround+y} -+then : -+ enableval=$enable_fips_workaround; case "$enableval" in -+ no) -+ fips="" -+ ;; -+ *) -+ fips="yes" -+ esac -+else $as_nop -+ fips="" -+fi -+ -+if test "x$fips" = "xyes"; then -+$as_echo "#define WITH_FIPS 1" >>confdefs.h -+fi - - ac_aux_dir= - for ac_dir in "$srcdir" "$srcdir/.." "$srcdir/../.."; do -diff --git a/configure.ac b/configure.ac -index c72511ab39..10b7cc02c0 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -100,6 +100,25 @@ if test "x$developer" = "xyes"; then - : ${CFLAGS=-g3} - fi - -+dnl # -+dnl # Hard-code FIPS support/ -+dnl # -+AC_ARG_ENABLE(fips-workaround, -+[ --enable-fips-workaround enables local MD4, MD5, etc. functionality to avoid OpenSSL FIPS issues.], -+[ case "$enableval" in -+ no) -+ fips="" -+ ;; -+ *) -+ fips="yes" -+ esac ], -+[ fips="" ], -+) -+if test "x$fips" != "xyes"; then -+ AC_DEFINE(WITH_FIPS, [1], [define if you want FIPS support]) -+fi -+AC_SUBST(WITH_FIPS) -+ - dnl ############################################################# - dnl # - dnl # 0. Checks for compiler, libtool, and command line options. diff --git a/share/dictionary.freeradius.internal b/share/dictionary.freeradius.internal index 724e1f7ff6..347e3e59f3 100644 --- a/share/dictionary.freeradius.internal diff --git a/freeradius.spec b/freeradius.spec index c18f9e2..e7a75bc 100644 --- a/freeradius.spec +++ b/freeradius.spec @@ -1,7 +1,7 @@ Summary: High-performance and highly configurable free RADIUS server Name: freeradius Version: 3.0.21 -Release: 31%{?dist} +Release: 32%{?dist} License: GPLv2+ and LGPLv2+ URL: http://www.freeradius.org/ @@ -228,6 +228,9 @@ sed 's/rlm_python/rlm_python3/g' src/modules/stable -i export PY3_LIB_DIR="$(python3-config --configdir)" export PY3_INC_DIR="$(python3 -c 'import sysconfig; print(sysconfig.get_config_var("INCLUDEPY"))')" +# Enable FIPS support +%global build_cflags %{build_cflags} -DWITH_FIPS + # In order for the above hack to stick, do a fake configure so # we can run reconfig before cleaning up after ourselves and running # configure for real. @@ -237,7 +240,6 @@ export PY3_INC_DIR="$(python3 -c 'import sysconfig; print(sysconfig.get_config_v --libdir=%{_libdir}/freeradius \ --enable-reproducible-builds \ --disable-openssl-version-check \ - --enable-fips-workaround \ --with-openssl \ --with-udpfromto \ --with-threads \ @@ -859,6 +861,10 @@ exit 0 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/rest %changelog +* Mon May 30 2022 Antonio Torres - 3.0.21-32 +- Add WITH_FIPS macro to CFLAGS + Related: rhbz#2083699 + * Tue May 24 2022 Antonio Torres - 3.0.21-31 - Update OpenSSL 3.0 support backport to current v3.0.x branch state - Add "--enable-fips-workaround" to build options