Add WITH_FIPS macro to CFLAGS
We need this flag added to CFLAGS in order for FreeRADIUS to run under a system in FIPS mode. Resolves: 2083699 Signed-off-by: Antonio Torres <antorres@redhat.com>
This commit is contained in:
parent
d83b583a42
commit
a9061bf663
@ -7,12 +7,9 @@ Related: rhbz#1978216
|
|||||||
Related: rhbz#2083699
|
Related: rhbz#2083699
|
||||||
Signed-off-by: Antonio Torres <antorres@redhat.com>
|
Signed-off-by: Antonio Torres <antorres@redhat.com>
|
||||||
|
|
||||||
[antorres@redhat.com]: commit 947d5d6bd2674a60f7320f0b721e4723243c2285 is backported
|
[antorres@redhat.com]: these changes include the macro WITH_FIPS, which allows FreeRADIUS
|
||||||
manually to avoid issues when applying on top of 3.0.21 tag. Because of this, files configure
|
to work on top of OpenSSL 3.0 when the system is in FIPS mode. We enable this macro on the specfile.
|
||||||
and configure.ac only contain changes (adapted) from this commit, not other changes from upstream state.
|
|
||||||
---
|
---
|
||||||
configure | 19 +
|
|
||||||
configure.ac | 19 +
|
|
||||||
share/dictionary.freeradius.internal | 54 +-
|
share/dictionary.freeradius.internal | 54 +-
|
||||||
src/include/build.h | 25 +-
|
src/include/build.h | 25 +-
|
||||||
src/include/libradius.h | 23 +-
|
src/include/libradius.h | 23 +-
|
||||||
@ -69,82 +66,8 @@ and configure.ac only contain changes (adapted) from this commit, not other chan
|
|||||||
src/modules/rlm_wimax/milenage.h | 128 ++
|
src/modules/rlm_wimax/milenage.h | 128 ++
|
||||||
src/modules/rlm_wimax/rlm_wimax.c | 429 ++++-
|
src/modules/rlm_wimax/rlm_wimax.c | 429 ++++-
|
||||||
src/tests/keywords/md4 | 58 +
|
src/tests/keywords/md4 | 58 +
|
||||||
58 files changed, 5951 insertions(+), 1205 deletions(-)
|
56 files changed, 5913 insertions(+), 1205 deletions(-)
|
||||||
|
|
||||||
diff --git a/configure b/configure
|
|
||||||
index edf08649a0..5b58f76c97 100755
|
|
||||||
--- a/configure
|
|
||||||
+++ b/configure
|
|
||||||
@@ -736,6 +736,7 @@ ac_subst_files=''
|
|
||||||
ac_user_opts='
|
|
||||||
enable_option_checking
|
|
||||||
enable_developer
|
|
||||||
+enable_fips_workaround
|
|
||||||
enable_largefile
|
|
||||||
enable_strict_dependencies
|
|
||||||
enable_werror
|
|
||||||
@@ -1406,6 +1407,7 @@ Optional Features:
|
|
||||||
--disable-FEATURE do not include FEATURE (same as --enable-FEATURE=no)
|
|
||||||
--enable-FEATURE[=ARG] include FEATURE [ARG=yes]
|
|
||||||
--enable-developer enables features of interest to developers.
|
|
||||||
+ --enable-fips-workaround enables local MD4, MD5, etc. functionality to avoid OpenSSL FIPS issues.
|
|
||||||
--disable-largefile omit support for large files
|
|
||||||
--enable-strict-dependencies fail configure on lack of module dependancy.
|
|
||||||
--enable-werror causes the build to fail if any warnings are generated.
|
|
||||||
@@ -2486,6 +2488,23 @@ if test "x$developer" = "xyes"; then
|
|
||||||
: ${CFLAGS=-g3}
|
|
||||||
fi
|
|
||||||
|
|
||||||
+# Check whether --enable-fips-workaround was given.
|
|
||||||
+if test ${enable_fips_workaround+y}
|
|
||||||
+then :
|
|
||||||
+ enableval=$enable_fips_workaround; case "$enableval" in
|
|
||||||
+ no)
|
|
||||||
+ fips=""
|
|
||||||
+ ;;
|
|
||||||
+ *)
|
|
||||||
+ fips="yes"
|
|
||||||
+ esac
|
|
||||||
+else $as_nop
|
|
||||||
+ fips=""
|
|
||||||
+fi
|
|
||||||
+
|
|
||||||
+if test "x$fips" = "xyes"; then
|
|
||||||
+$as_echo "#define WITH_FIPS 1" >>confdefs.h
|
|
||||||
+fi
|
|
||||||
|
|
||||||
ac_aux_dir=
|
|
||||||
for ac_dir in "$srcdir" "$srcdir/.." "$srcdir/../.."; do
|
|
||||||
diff --git a/configure.ac b/configure.ac
|
|
||||||
index c72511ab39..10b7cc02c0 100644
|
|
||||||
--- a/configure.ac
|
|
||||||
+++ b/configure.ac
|
|
||||||
@@ -100,6 +100,25 @@ if test "x$developer" = "xyes"; then
|
|
||||||
: ${CFLAGS=-g3}
|
|
||||||
fi
|
|
||||||
|
|
||||||
+dnl #
|
|
||||||
+dnl # Hard-code FIPS support/
|
|
||||||
+dnl #
|
|
||||||
+AC_ARG_ENABLE(fips-workaround,
|
|
||||||
+[ --enable-fips-workaround enables local MD4, MD5, etc. functionality to avoid OpenSSL FIPS issues.],
|
|
||||||
+[ case "$enableval" in
|
|
||||||
+ no)
|
|
||||||
+ fips=""
|
|
||||||
+ ;;
|
|
||||||
+ *)
|
|
||||||
+ fips="yes"
|
|
||||||
+ esac ],
|
|
||||||
+[ fips="" ],
|
|
||||||
+)
|
|
||||||
+if test "x$fips" != "xyes"; then
|
|
||||||
+ AC_DEFINE(WITH_FIPS, [1], [define if you want FIPS support])
|
|
||||||
+fi
|
|
||||||
+AC_SUBST(WITH_FIPS)
|
|
||||||
+
|
|
||||||
dnl #############################################################
|
|
||||||
dnl #
|
|
||||||
dnl # 0. Checks for compiler, libtool, and command line options.
|
|
||||||
diff --git a/share/dictionary.freeradius.internal b/share/dictionary.freeradius.internal
|
diff --git a/share/dictionary.freeradius.internal b/share/dictionary.freeradius.internal
|
||||||
index 724e1f7ff6..347e3e59f3 100644
|
index 724e1f7ff6..347e3e59f3 100644
|
||||||
--- a/share/dictionary.freeradius.internal
|
--- a/share/dictionary.freeradius.internal
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
Summary: High-performance and highly configurable free RADIUS server
|
Summary: High-performance and highly configurable free RADIUS server
|
||||||
Name: freeradius
|
Name: freeradius
|
||||||
Version: 3.0.21
|
Version: 3.0.21
|
||||||
Release: 31%{?dist}
|
Release: 32%{?dist}
|
||||||
License: GPLv2+ and LGPLv2+
|
License: GPLv2+ and LGPLv2+
|
||||||
URL: http://www.freeradius.org/
|
URL: http://www.freeradius.org/
|
||||||
|
|
||||||
@ -228,6 +228,9 @@ sed 's/rlm_python/rlm_python3/g' src/modules/stable -i
|
|||||||
export PY3_LIB_DIR="$(python3-config --configdir)"
|
export PY3_LIB_DIR="$(python3-config --configdir)"
|
||||||
export PY3_INC_DIR="$(python3 -c 'import sysconfig; print(sysconfig.get_config_var("INCLUDEPY"))')"
|
export PY3_INC_DIR="$(python3 -c 'import sysconfig; print(sysconfig.get_config_var("INCLUDEPY"))')"
|
||||||
|
|
||||||
|
# Enable FIPS support
|
||||||
|
%global build_cflags %{build_cflags} -DWITH_FIPS
|
||||||
|
|
||||||
# In order for the above hack to stick, do a fake configure so
|
# In order for the above hack to stick, do a fake configure so
|
||||||
# we can run reconfig before cleaning up after ourselves and running
|
# we can run reconfig before cleaning up after ourselves and running
|
||||||
# configure for real.
|
# configure for real.
|
||||||
@ -237,7 +240,6 @@ export PY3_INC_DIR="$(python3 -c 'import sysconfig; print(sysconfig.get_config_v
|
|||||||
--libdir=%{_libdir}/freeradius \
|
--libdir=%{_libdir}/freeradius \
|
||||||
--enable-reproducible-builds \
|
--enable-reproducible-builds \
|
||||||
--disable-openssl-version-check \
|
--disable-openssl-version-check \
|
||||||
--enable-fips-workaround \
|
|
||||||
--with-openssl \
|
--with-openssl \
|
||||||
--with-udpfromto \
|
--with-udpfromto \
|
||||||
--with-threads \
|
--with-threads \
|
||||||
@ -859,6 +861,10 @@ exit 0
|
|||||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/rest
|
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/rest
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon May 30 2022 Antonio Torres <antorres@redhat.com> - 3.0.21-32
|
||||||
|
- Add WITH_FIPS macro to CFLAGS
|
||||||
|
Related: rhbz#2083699
|
||||||
|
|
||||||
* Tue May 24 2022 Antonio Torres <antorres@redhat.com> - 3.0.21-31
|
* Tue May 24 2022 Antonio Torres <antorres@redhat.com> - 3.0.21-31
|
||||||
- Update OpenSSL 3.0 support backport to current v3.0.x branch state
|
- Update OpenSSL 3.0 support backport to current v3.0.x branch state
|
||||||
- Add "--enable-fips-workaround" to build options
|
- Add "--enable-fips-workaround" to build options
|
||||||
|
Loading…
Reference in New Issue
Block a user