import freeradius-3.0.21-20.el9

.freeradius.metadata

@@ -0,0 +1 @@
+3d90d63bf1452794cf9d0b04147745a254872c3f SOURCES/freeradius-server-3.0.21.tar.bz2

.gitignore

@@ -0,0 +1 @@
+SOURCES/freeradius-server-3.0.21.tar.bz2

SOURCES/freeradius-Adjust-configuration-to-fit-Red-Hat-specifics.patch

@@ -0,0 +1,60 @@
+From 958f470cda2ba8943f02f13d1b46f357f92d9639 Mon Sep 17 00:00:00 2001
+From: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
+Date: Mon, 8 Sep 2014 12:32:13 +0300
+Subject: [PATCH] Adjust configuration to fit Red Hat specifics
+
+---
+ raddb/mods-available/eap | 4 ++--
+ raddb/radiusd.conf.in    | 7 +++----
+ 2 files changed, 5 insertions(+), 6 deletions(-)
+
+diff --git a/raddb/mods-available/eap b/raddb/mods-available/eap
+index 2621e183c..94494b2c6 100644
+--- a/raddb/mods-available/eap
++++ b/raddb/mods-available/eap
+@@ -533,7 +533,7 @@
+ 			#  You should also delete all of the files
+ 			#  in the directory when the server starts.
+ 			#
+-		#	tmpdir = /tmp/radiusd
++		#	tmpdir = /var/run/radiusd/tmp
+ 
+ 			#  The command used to verify the client cert.
+ 			#  We recommend using the OpenSSL command-line
+@@ -548,7 +548,7 @@
+ 			#  deleted by the server when the command
+ 			#  returns.
+ 			#
+-		#	client = "/path/to/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}"
++		#	client = "/usr/bin/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}"
+ 		}
+ 
+ 		#  OCSP Configuration
+diff --git a/raddb/radiusd.conf.in b/raddb/radiusd.conf.in
+index a83c1f687..e500cf97b 100644
+--- a/raddb/radiusd.conf.in
++++ b/raddb/radiusd.conf.in
+@@ -70,8 +70,7 @@ certdir = ${confdir}/certs
+ cadir   = ${confdir}/certs
+ run_dir = ${localstatedir}/run/${name}
+ 
+-# Should likely be ${localstatedir}/lib/radiusd
+-db_dir = ${raddbdir}
++db_dir = ${localstatedir}/lib/radiusd
+ 
+ #
+ # libdir: Where to find the rlm_* modules.
+@@ -398,8 +397,8 @@ security {
+ 	#  member.  This can allow for some finer-grained access
+ 	#  controls.
+ 	#
+-#	user = radius
+-#	group = radius
++	user = radiusd
++	group = radiusd
+ 
+ 	#  Core dumps are a bad thing.  This should only be set to
+ 	#  'yes' if you're debugging a problem with the server.
+-- 
+2.13.2
+

SOURCES/freeradius-Fix-resource-hard-limit-error.patch

@@ -0,0 +1,32 @@
+commit 1ce4508c92493cf03ea1b3c42e83540b387884fa
+Author: Antonio Torres <antorres@redhat.com>
+Date:   Fri Jul 2 07:12:48 2021 -0400
+Subject: [PATCH] debug: don't set resource hard limit to zero
+
+    Setting the resource hard limit to zero is irreversible, meaning if it
+    is set to zero then there is no way to set it higher. This means
+    enabling core dump is not possible, since setting a new resource limit
+    for RLIMIT_CORE would fail. By only setting the soft limit to zero, we
+    can disable and enable core dumps without failures.
+
+    This fix is present in both main and 3.0.x upstream branches.
+    
+    Ticket in RHEL Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1977572
+    Signed-off-by: Antonio Torres antorres@redhat.com
+---
+ src/lib/debug.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/lib/debug.c b/src/lib/debug.c
+index 576bcb2a65..6330c9cb66 100644
+--- a/src/lib/debug.c
++++ b/src/lib/debug.c
+@@ -599,7 +599,7 @@ int fr_set_dumpable(bool allow_core_dumps)
+ 		struct rlimit no_core;
+ 
+ 		no_core.rlim_cur = 0;
+-		no_core.rlim_max = 0;
++		no_core.rlim_max = core_limits.rlim_max;
+ 
+ 		if (setrlimit(RLIMIT_CORE, &no_core) < 0) {
+ 			fr_strerror_printf("Failed disabling core dumps: %s", fr_syserror(errno));

SOURCES/freeradius-Use-system-crypto-policy-by-default.patch

@@ -0,0 +1,86 @@
+From a7ed62fbcc043a9ec7a4f09962a2cd2acffa019b Mon Sep 17 00:00:00 2001
+From: Alexander Scheel <ascheel@redhat.com>
+Date: Wed, 8 May 2019 10:16:31 -0400
+Subject: [PATCH] Use system-provided crypto-policies by default
+
+Signed-off-by: Alexander Scheel <ascheel@redhat.com>
+---
+ raddb/mods-available/eap        | 4 ++--
+ raddb/mods-available/inner-eap  | 2 +-
+ raddb/sites-available/abfab-tls | 2 +-
+ raddb/sites-available/tls       | 4 ++--
+ 4 files changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/raddb/mods-available/eap b/raddb/mods-available/eap
+index 36849e10f2..b28c0f19c6 100644
+--- a/raddb/mods-available/eap
++++ b/raddb/mods-available/eap
+@@ -368,7 +368,7 @@ eap {
+ 		#
+ 		#  For EAP-FAST, use "ALL:!EXPORT:!eNULL:!SSLv2"
+ 		#
+-		cipher_list = "DEFAULT"
++		cipher_list = "PROFILE=SYSTEM"
+ 
+ 		#  If enabled, OpenSSL will use server cipher list
+ 		#  (possibly defined by cipher_list option above)
+@@ -912,7 +912,7 @@ eap {
+ 		#  Note - for OpenSSL 1.1.0 and above you may need
+ 		#  to add ":@SECLEVEL=0"
+ 		#
+-	#	cipher_list = "ALL:!EXPORT:!eNULL:!SSLv2"
++	#	cipher_list = "PROFILE=SYSTEM"
+ 
+ 		#  PAC lifetime in seconds (default: seven days)
+ 		#
+diff --git a/raddb/mods-available/inner-eap b/raddb/mods-available/inner-eap
+index 576eb7739e..ffa07188e2 100644
+--- a/raddb/mods-available/inner-eap
++++ b/raddb/mods-available/inner-eap
+@@ -77,7 +77,7 @@ eap inner-eap {
+ 		#  certificates.  If so, edit this file.
+ 		ca_file = ${cadir}/ca.pem
+ 
+-		cipher_list = "DEFAULT"
++		cipher_list = "PROFILE=SYSTEM"
+ 
+ 		#  You may want to set a very small fragment size.
+ 		#  The TLS data here needs to go inside of the
+diff --git a/raddb/sites-available/abfab-tls b/raddb/sites-available/abfab-tls
+index 92f1d6330e..cd69b3905a 100644
+--- a/raddb/sites-available/abfab-tls
++++ b/raddb/sites-available/abfab-tls
+@@ -19,7 +19,7 @@ listen {
+ 		dh_file = ${certdir}/dh
+ 		fragment_size = 8192
+ 		ca_path = ${cadir}
+-		cipher_list = "DEFAULT"
++		cipher_list = "PROFILE=SYSTEM"
+ 
+ 		cache {
+ 			enable = no
+diff --git a/raddb/sites-available/tls b/raddb/sites-available/tls
+index bbc761b1c5..83cd35b851 100644
+--- a/raddb/sites-available/tls
++++ b/raddb/sites-available/tls
+@@ -215,7 +215,7 @@ listen {
+ 		# Set this option to specify the allowed
+ 		# TLS cipher suites.  The format is listed
+ 		# in "man 1 ciphers".
+-		cipher_list = "DEFAULT"
++		cipher_list = "PROFILE=SYSTEM"
+ 
+ 		# If enabled, OpenSSL will use server cipher list
+ 		# (possibly defined by cipher_list option above)
+@@ -517,7 +517,7 @@ home_server tls {
+ 		# Set this option to specify the allowed
+ 		# TLS cipher suites.  The format is listed
+ 		# in "man 1 ciphers".
+-		cipher_list = "DEFAULT"
++		cipher_list = "PROFILE=SYSTEM"
+ 	}
+ 
+ }
+-- 
+2.21.0
+

SOURCES/freeradius-bootstrap-create-only.patch

@@ -0,0 +1,89 @@
+From acaf4be8e301a01041acba189194d9502994611d Mon Sep 17 00:00:00 2001
+From: Alexander Scheel <ascheel@redhat.com>
+Date: Wed, 13 May 2020 10:01:47 -0400
+Subject: [PATCH] Don't clobber existing files on bootstrap
+
+Signed-off-by: Alexander Scheel <ascheel@redhat.com>
+---
+ raddb/certs/bootstrap | 31 +++++++++++++++----------------
+ 1 file changed, 15 insertions(+), 16 deletions(-)
+
+diff --git a/raddb/certs/bootstrap b/raddb/certs/bootstrap
+index ede09bc..e555491 100755
+--- a/raddb/certs/bootstrap
++++ b/raddb/certs/bootstrap
+@@ -20,56 +20,55 @@ cd `dirname $0`
+ #  Don't edit the following text.  Instead, edit the Makefile, and
+ #  re-generate these commands.
+ #
+-if [ ! -f dh ]; then
++if [ ! -e dh ]; then
+   openssl dhparam -out dh 2048 || exit 1
+-  if [ -e /dev/urandom ] ; then
+-	ln -sf /dev/urandom random
+-  else
+-	date > ./random;
+-  fi
++  ln -sf /dev/urandom random
+ fi
+ 
+-if [ ! -f server.key ]; then
++if [ ! -e server.key ]; then
+   openssl req -new  -out server.csr -keyout server.key -config ./server.cnf || exit 1
+   chmod g+r server.key
+ fi
+ 
+-if [ ! -f ca.key ]; then
++if [ ! -e ca.key ]; then
+   openssl req -new -x509 -keyout ca.key -out ca.pem -days `grep default_days ca.cnf | sed 's/.*=//;s/^ *//'` -config ./ca.cnf || exit 1
+ fi
+ 
+-if [ ! -f index.txt ]; then
++if [ ! -e index.txt ]; then
+   touch index.txt
+ fi
+ 
+-if [ ! -f serial ]; then
++if [ ! -e serial ]; then
+   echo '01' > serial
+ fi
+ 
+-if [ ! -f server.crt ]; then
++if [ ! -e server.crt ]; then
+   openssl ca -batch -keyfile ca.key -cert ca.pem -in server.csr  -key `grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out server.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf || exit 1
+ fi
+ 
+-if [ ! -f server.p12 ]; then
++if [ ! -e server.p12 ]; then
+   openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12  -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` || exit 1
+   chmod g+r server.p12
+ fi
+ 
+-if [ ! -f server.pem ]; then
++if [ ! -e server.pem ]; then
+   openssl pkcs12 -in server.p12 -out server.pem -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` || exit 1
+   openssl verify -CAfile ca.pem server.pem || exit 1
+   chmod g+r server.pem
+ fi
+ 
+-if [ ! -f ca.der ]; then
++if [ ! -e ca.der ]; then
+   openssl x509 -inform PEM -outform DER -in ca.pem -out ca.der || exit 1
+ fi
+ 
+-if [ ! -f client.key ]; then
++if [ ! -e client.key ]; then
+   openssl req -new  -out client.csr -keyout client.key -config ./client.cnf
+   chmod g+r client.key
+ fi
+ 
+-if [ ! -f client.crt ]; then
++if [ ! -e client.crt ]; then
+   openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr  -key `grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf
+ fi
++
++chown root:radiusd dh ca.* client.* server.*
++chmod 640 dh ca.* client.* server.*
+-- 
+2.26.2
+

SOURCES/freeradius-bootstrap-make-permissions.patch

@@ -0,0 +1,29 @@
+From ea164ceafa05f96079204a3f0ae379e46e64a455 Mon Sep 17 00:00:00 2001
+From: Alexander Scheel <ascheel@redhat.com>
+Date: Tue, 4 Aug 2020 10:08:15 -0400
+Subject: [PATCH] Fix permissions after generating certificates with make
+
+Signed-off-by: Alexander Scheel <ascheel@redhat.com>
+---
+ raddb/certs/bootstrap | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/raddb/certs/bootstrap b/raddb/certs/bootstrap
+index 336a2bd..9920ecf 100755
+--- a/raddb/certs/bootstrap
++++ b/raddb/certs/bootstrap
+@@ -21,7 +21,10 @@ make -h > /dev/null 2>&1
+ #
+ if [ "$?" = "0" ]; then
+   make all
+-  exit $?
++  ret=$?
++  chown root:radiusd dh ca.* client.* server.*
++  chmod 640 dh ca.* client.* server.*
++  exit $ret
+ fi
+ 
+ #
+-- 
+2.26.2
+

SOURCES/freeradius-logrotate

@@ -0,0 +1,56 @@
+# You can use this to rotate the /var/log/radius/* files, simply copy
+# it to /etc/logrotate.d/radiusd
+
+# There are different detail-rotating strategies you can use.  One is
+# to write to a single detail file per IP and use the rotate config
+# below.  Another is to write to a daily detail file per IP with:
+#     detailfile = ${radacctdir}/%{Client-IP-Address}/%Y%m%d-detail
+# (or similar) in radiusd.conf, without rotation.  If you go with the
+# second technique, you will need another cron job that removes old
+# detail files.  You do not need to comment out the below for method #2.
+/var/log/radius/radacct/*/detail {
+	monthly
+	rotate 4
+	nocreate
+	missingok
+	compress
+	su radiusd radiusd
+}
+
+/var/log/radius/checkrad.log {
+	monthly
+	rotate 4
+	create
+	missingok
+	compress
+	su radiusd radiusd
+}
+
+/var/log/radius/radius.log {
+	monthly
+	rotate 4
+	create
+	missingok
+	compress
+	su radiusd radiusd
+	postrotate
+		/usr/bin/systemctl reload-or-try-restart radiusd
+	endscript
+}
+
+/var/log/radius/radwtmp {
+	monthly
+	rotate 4
+	create
+	compress
+	missingok
+	su radiusd radiusd
+}
+/var/log/radius/sqltrace.sql {
+        monthly
+        rotate 4
+        create
+        compress
+        missingok
+	su radiusd radiusd
+}

SOURCES/freeradius-no-buildtime-cert-gen.patch

@@ -0,0 +1,104 @@
+From e6f7c9d4c2af1cda7760ca8155166bb5d4d541d0 Mon Sep 17 00:00:00 2001
+From: Alexander Scheel <ascheel@redhat.com>
+Date: Wed, 8 May 2019 12:58:02 -0400
+Subject: [PATCH] Don't generate certificates in reproducible builds
+
+Signed-off-by: Alexander Scheel <ascheel@redhat.com>
+---
+ Make.inc.in  | 5 +++++
+ configure    | 4 ++++
+ configure.ac | 3 +++
+ raddb/all.mk | 4 ++++
+ 4 files changed, 16 insertions(+)
+
+diff --git a/Make.inc.in b/Make.inc.in
+index 0b2cd74de8..8c623cf95c 100644
+--- a/Make.inc.in
++++ b/Make.inc.in
+@@ -173,3 +173,8 @@ else
+ 	TESTBINDIR = ./$(BUILD_DIR)/bin
+ 	TESTBIN    = ./$(BUILD_DIR)/bin
+ endif
++
++#
++#  With reproducible builds, do not generate certificates during installation
++#
++ENABLE_REPRODUCIBLE_BUILDS = @ENABLE_REPRODUCIBLE_BUILDS@
+diff --git a/configure b/configure
+index c2c599c92b..3d4403a844 100755
+--- a/configure
++++ b/configure
+@@ -655,6 +655,7 @@ RUSERS
+ SNMPWALK
+ SNMPGET
+ PERL
++ENABLE_REPRODUCIBLE_BUILDS
+ openssl_version_check_config
+ WITH_DHCP
+ modconfdir
+@@ -5586,6 +5587,7 @@ else
+ fi
+ 
+ 
++ENABLE_REPRODUCIBLE_BUILDS=yes
+ # Check whether --enable-reproducible-builds was given.
+ if test "${enable_reproducible_builds+set}" = set; then :
+   enableval=$enable_reproducible_builds;  case "$enableval" in
+@@ -5597,6 +5599,7 @@ $as_echo "#define ENABLE_REPRODUCIBLE_BUILDS 1" >>confdefs.h
+     ;;
+   *)
+     reproducible_builds=no
++    ENABLE_REPRODUCIBLE_BUILDS=no
+   esac
+ 
+ fi
+@@ -5604,6 +5607,7 @@ fi
+ 
+ 
+ 
++
+ CHECKRAD=checkrad
+ # Extract the first word of "perl", so it can be a program name with args.
+ set dummy perl; ac_word=$2
+diff --git a/configure.ac b/configure.ac
+index a7abf0025a..35b013f4af 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -619,6 +619,7 @@ AC_SUBST([openssl_version_check_config])
+ dnl #
+ dnl #  extra argument: --enable-reproducible-builds
+ dnl #
++ENABLE_REPRODUCIBLE_BUILDS=yes
+ AC_ARG_ENABLE(reproducible-builds,
+ [AS_HELP_STRING([--enable-reproducible-builds],
+                 [ensure the build does not change each time])],
+@@ -630,8 +631,10 @@ AC_ARG_ENABLE(reproducible-builds,
+     ;;
+   *)
+     reproducible_builds=no
++    ENABLE_REPRODUCIBLE_BUILDS=no
+   esac ]
+ )
++AC_SUBST(ENABLE_REPRODUCIBLE_BUILDS)
+ 
+ 
+ dnl #############################################################
+diff --git a/raddb/all.mk b/raddb/all.mk
+index c966edd657..c8e976a499 100644
+--- a/raddb/all.mk
++++ b/raddb/all.mk
+@@ -124,7 +124,11 @@ $(R)$(raddbdir)/users: $(R)$(modconfdir)/files/authorize
+ ifneq "$(LOCAL_CERT_PRODUCTS)" ""
+ $(LOCAL_CERT_PRODUCTS):
+ 	@echo BOOTSTRAP raddb/certs/
++ifeq "$(ENABLE_REPRODUCIBLE_BUILDS)" "yes"
++	@$(MAKE) -C $(R)$(raddbdir)/certs/ passwords.mk
++else
+ 	@$(MAKE) -C $(R)$(raddbdir)/certs/
++endif
+ 
+ # Bootstrap is special
+ $(R)$(raddbdir)/certs/bootstrap: | raddb/certs/bootstrap $(LOCAL_CERT_PRODUCTS)
+-- 
+2.21.0
+

SOURCES/freeradius-pam-conf

@@ -0,0 +1,6 @@
+#%PAM-1.0
+auth       include	password-auth
+account    required	pam_nologin.so
+account    include	password-auth
+password   include	password-auth
+session    include	password-auth

SOURCES/freeradius-tmpfiles.conf

@@ -0,0 +1 @@
+D /run/radiusd 0710 radiusd radiusd -

SOURCES/radiusd.service

@@ -0,0 +1,15 @@
+[Unit]
+Description=FreeRADIUS high performance RADIUS server.
+After=syslog.target network-online.target ipa.service dirsrv.target krb5kdc.service mysql.service mariadb.service postgresql.service
+
+[Service]
+Type=forking
+PIDFile=/var/run/radiusd/radiusd.pid
+ExecStartPre=-/bin/chown -R radiusd.radiusd /var/run/radiusd
+ExecStartPre=/usr/sbin/radiusd -C
+ExecStart=/usr/sbin/radiusd -d /etc/raddb
+ExecReload=/usr/sbin/radiusd -C
+ExecReload=/bin/kill -HUP $MAINPID
+
+[Install]
+WantedBy=multi-user.target