rpms/freeradius
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Rebase to upstream 3.0.27

Browse Source 
Multiple patches have been either updated to work with 3.0.27 or removed
since they were backports and are now present in sources.

Resolves: RHEL-102101
Signed-off-by: Antonio Torres <antorres@redhat.com>
This commit is contained in:
Antonio Torres 2025-07-08 12:30:02 +02:00
parent b7497ccf00
commit c3f30c42a6
No known key found for this signature in database
GPG Key ID: 359FAF777296F653
11 changed files with 140 additions and 888 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -34,3 +34,4 @@ freeradius-*.src.rpm
/freeradius-server-3.0.19.tar.bz2
/freeradius-server-3.0.20.tar.bz2
/freeradius-server-3.0.21.tar.bz2
/freeradius-server-3.0.27.tar.bz2

32
freeradius-Fix-resource-hard-limit-error.patch
View File

@ -1,32 +0,0 @@
commit 1ce4508c92493cf03ea1b3c42e83540b387884fa
Author: Antonio Torres <antorres@redhat.com>
Date: Fri Jul 2 07:12:48 2021 -0400
Subject: [PATCH] debug: don't set resource hard limit to zero
Setting the resource hard limit to zero is irreversible, meaning if it
is set to zero then there is no way to set it higher. This means
enabling core dump is not possible, since setting a new resource limit
for RLIMIT_CORE would fail. By only setting the soft limit to zero, we
can disable and enable core dumps without failures.
This fix is present in both main and 3.0.x upstream branches.
Ticket in RHEL Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1977572
Signed-off-by: Antonio Torres antorres@redhat.com
---
src/lib/debug.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/lib/debug.c b/src/lib/debug.c
index 576bcb2a65..6330c9cb66 100644
--- a/src/lib/debug.c
+++ b/src/lib/debug.c
@@ -599,7 +599,7 @@ int fr_set_dumpable(bool allow_core_dumps)
struct rlimit no_core;
no_core.rlim_cur = 0;
- no_core.rlim_max = 0;
+ no_core.rlim_max = core_limits.rlim_max;
if (setrlimit(RLIMIT_CORE, &no_core) < 0) {
fr_strerror_printf("Failed disabling core dumps: %s", fr_syserror(errno));

31
freeradius-Use-system-crypto-policy-by-default.patch
View File

@ -4,6 +4,8 @@ Date: Wed, 8 May 2019 10:16:31 -0400
Subject: [PATCH] Use system-provided crypto-policies by default
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
[antorres@redhat.com]: updated to work with FreeRADIUS 3.0.27
---
raddb/mods-available/eap | 4 ++--
raddb/mods-available/inner-eap | 2 +-
@ -12,21 +14,21 @@ Signed-off-by: Alexander Scheel <ascheel@redhat.com>
4 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/raddb/mods-available/eap b/raddb/mods-available/eap
index 36849e10f2..b28c0f19c6 100644
index d6780c3892..25f4687cb6 100644
--- a/raddb/mods-available/eap
+++ b/raddb/mods-available/eap
@@ -368,7 +368,7 @@ eap {
#
# For EAP-FAST, use "ALL:!EXPORT:!eNULL:!SSLv2"
@@ -405,7 +405,7 @@ eap {
# TLS cipher suites. The format is listed
# in "man 1 ciphers".
#
- cipher_list = "DEFAULT"
+ cipher_list = "PROFILE=SYSTEM"
# If enabled, OpenSSL will use server cipher list
# (possibly defined by cipher_list option above)
@@ -912,7 +912,7 @@ eap {
# Note - for OpenSSL 1.1.0 and above you may need
# to add ":@SECLEVEL=0"
@@ -1080,7 +1080,7 @@ eap {
# "DEFAULT" as "DEFAULT" contains "!aNULL" so instead it is
# recommended "ALL:!EXPORT:!eNULL:!SSLv2" is used
#
- # cipher_list = "ALL:!EXPORT:!eNULL:!SSLv2"
+ # cipher_list = "PROFILE=SYSTEM"
@ -47,23 +49,23 @@ index 576eb7739e..ffa07188e2 100644
# You may want to set a very small fragment size.
# The TLS data here needs to go inside of the
diff --git a/raddb/sites-available/abfab-tls b/raddb/sites-available/abfab-tls
index 92f1d6330e..cd69b3905a 100644
index b8d0626bbe..073b2933c2 100644
--- a/raddb/sites-available/abfab-tls
+++ b/raddb/sites-available/abfab-tls
@@ -19,7 +19,7 @@ listen {
@@ -20,7 +20,7 @@ listen {
dh_file = ${certdir}/dh
fragment_size = 8192
ca_path = ${cadir}
- cipher_list = "DEFAULT"
+ cipher_list = "PROFILE=SYSTEM"
cache {
enable = no
lifetime = 24 # hours
diff --git a/raddb/sites-available/tls b/raddb/sites-available/tls
index bbc761b1c5..83cd35b851 100644
index 257770777d..a24e433122 100644
--- a/raddb/sites-available/tls
+++ b/raddb/sites-available/tls
@@ -215,7 +215,7 @@ listen {
@@ -288,7 +288,7 @@ listen {
# Set this option to specify the allowed
# TLS cipher suites. The format is listed
# in "man 1 ciphers".
@ -72,7 +74,7 @@ index bbc761b1c5..83cd35b851 100644
# If enabled, OpenSSL will use server cipher list
# (possibly defined by cipher_list option above)
@@ -517,7 +517,7 @@ home_server tls {
@@ -679,7 +679,7 @@ home_server tls {
# Set this option to specify the allowed
# TLS cipher suites. The format is listed
# in "man 1 ciphers".
@ -81,6 +83,3 @@ index bbc761b1c5..83cd35b851 100644
}
}
--
2.21.0

15
freeradius-bootstrap-pass-noenc-to-certificate-generation.patch
View File

@ -13,13 +13,14 @@ Signed-off-by: Antonio Torres <antorres@redhat.com>
[antorres@redhat.com]: patch adapted to work together with freeradius-bootstrap-create-only.patch.
In bootstrap diff, -f is changed to -e in conditionals.
[antorres@redhat.com]: updated to work with FreeRADIUS 3.0.27
---
raddb/certs/Makefile | 20 ++++++++++++++++----
raddb/certs/bootstrap | 6 +++---
2 files changed, 19 insertions(+), 7 deletions(-)
diff --git a/raddb/certs/Makefile b/raddb/certs/Makefile
index 5cbfd467ce..cb10394ec3 100644
index c9fbc9e864..33eeef6640 100644
--- a/raddb/certs/Makefile
+++ b/raddb/certs/Makefile
@@ -60,6 +60,8 @@ passwords.mk: server.cnf ca.cnf client.cnf inner-server.cnf
@ -60,7 +61,7 @@ index 5cbfd467ce..cb10394ec3 100644
+ $(OPENSSL) req -new -out server.csr -keyout server.key -config ./server.cnf -noenc
chmod g+r server.key
server.crt: server.csr ca.key ca.pem
server.crt: ca.key ca.pem server.csr
@@ -101,6 +107,8 @@ server.p12: server.crt
server.pem: server.p12
$(OPENSSL) pkcs12 -in server.p12 -out server.pem -passin pass:$(PASSWORD_SERVER) -passout pass:$(PASSWORD_SERVER)
@ -78,8 +79,8 @@ index 5cbfd467ce..cb10394ec3 100644
+ $(OPENSSL) req -new -out client.csr -keyout client.key -config ./client.cnf -noenc
chmod g+r client.key
client.crt: client.csr ca.pem ca.key
@@ -127,6 +135,8 @@ client.pem: client.p12
client.crt: ca.key ca.pem client.csr
@@ -128,6 +136,8 @@ client.pem: client.p12
$(OPENSSL) pkcs12 -in client.p12 -out client.pem -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)
chmod g+r client.pem
cp client.pem $(USER_NAME).pem
@ -88,7 +89,7 @@ index 5cbfd467ce..cb10394ec3 100644
.PHONY: client.vrfy
client.vrfy: ca.pem client.pem
@@ -139,7 +149,7 @@ client.vrfy: ca.pem client.pem
@@ -140,7 +150,7 @@ client.vrfy: ca.pem client.pem
#
######################################################################
inner-server.csr inner-server.key: inner-server.cnf
@ -96,8 +97,8 @@ index 5cbfd467ce..cb10394ec3 100644
+ $(OPENSSL) req -new -out inner-server.csr -keyout inner-server.key -config ./inner-server.cnf -noenc
chmod g+r inner-server.key
inner-server.crt: inner-server.csr ca.key ca.pem
@@ -152,6 +162,8 @@ inner-server.p12: inner-server.crt
inner-server.crt: ca.key ca.pem inner-server.csr
@@ -153,6 +163,8 @@ inner-server.p12: inner-server.crt
inner-server.pem: inner-server.p12
$(OPENSSL) pkcs12 -in inner-server.p12 -out inner-server.pem -passin pass:$(PASSWORD_INNER) -passout pass:$(PASSWORD_INNER)
chmod g+r inner-server.pem

47
freeradius-fix-crash-on-invalid-abinary-data.patch
View File

@ -1,47 +0,0 @@
From: Antonio Torres <antorres@redhat.com>
Date: Fri, 09 Dec 2022
Subject: Fix crash on invalid abinary data
A malicious RADIUS client or home server can send a malformed abinary
attribute which can cause the server to crash.
Backport of https://github.com/FreeRADIUS/freeradius-server/commit/0ec2b39d260e
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2151707
Signed-off-by: Antonio Torres <antorres@redhat.com>
---
diff --git a/src/lib/filters.c b/src/lib/filters.c
index 4868cd385d9f..3f3b63daeef3 100644
--- a/src/lib/filters.c
+++ b/src/lib/filters.c
@@ -1205,13 +1205,19 @@ void print_abinary(char *out, size_t outlen, uint8_t const *data, size_t len, in
}
}
} else if (filter->type == RAD_FILTER_GENERIC) {
- int count;
+ size_t count, masklen;
+
+ masklen = ntohs(filter->u.generic.len);
+ if (masklen >= sizeof(filter->u.generic.mask)) {
+ *p = '\0';
+ return;
+ }
i = snprintf(p, outlen, " %u ", (unsigned int) ntohs(filter->u.generic.offset));
p += i;
/* show the mask */
- for (count = 0; count < ntohs(filter->u.generic.len); count++) {
+ for (count = 0; count < masklen; count++) {
i = snprintf(p, outlen, "%02x", filter->u.generic.mask[count]);
p += i;
outlen -= i;
@@ -1222,7 +1228,7 @@ void print_abinary(char *out, size_t outlen, uint8_t const *data, size_t len, in
outlen--;
/* show the value */
- for (count = 0; count < ntohs(filter->u.generic.len); count++) {
+ for (count = 0; count < masklen; count++) {
i = snprintf(p, outlen, "%02x", filter->u.generic.value[count]);
p += i;
outlen -= i;

115
freeradius-fix-crash-unknown-eap-sim.patch
View File

@ -1,115 +0,0 @@
From: Antonio Torres <antorres@redhat.com>
Date: Fri, 09 Dec 2022
Subject: Fix crash on unknown option in EAP-SIM
When an EAP-SIM supplicant sends an unknown SIM option, the server will try to
look that option up in the internal dictionaries. This lookup will fail, but the
SIM code will not check for that failure. Instead, it will dereference a NULL
pointer, and cause the server to crash.
Backport of:
https://github.com/FreeRADIUS/freeradius-server/commit/f1cdbb33ec61c4a64a
https://github.com/FreeRADIUS/freeradius-server/commit/71128cac3ee236a88a05cc7bddd43e43a88a3089
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2151705
Signed-off-by: Antonio Torres <antorres@redhat.com>
---
diff --git a/src/modules/rlm_eap/libeap/eapsimlib.c b/src/modules/rlm_eap/libeap/eapsimlib.c
index cf1e8a7dd92..e438a844eab 100644
--- a/src/modules/rlm_eap/libeap/eapsimlib.c
+++ b/src/modules/rlm_eap/libeap/eapsimlib.c
@@ -307,42 +307,77 @@ int unmap_eapsim_basictypes(RADIUS_PACKET *r,
newvp->vp_length = 1;
fr_pair_add(&(r->vps), newvp);
+ /*
+ * EAP-SIM has a 1 octet of subtype, and 2 octets
+ * reserved.
+ */
attr += 3;
attrlen -= 3;
- /* now, loop processing each attribute that we find */
- while(attrlen > 0) {
+ /*
+ * Loop over each attribute. The format is:
+ *
+ * 1 octet of type
+ * 1 octet of length (value 1..255)
+ * ((4 * length) - 2) octets of data.
+ */
+ while (attrlen > 0) {
uint8_t *p;
- if(attrlen < 2) {
+ if (attrlen < 2) {
fr_strerror_printf("EAP-Sim attribute %d too short: %d < 2", es_attribute_count, attrlen);
return 0;
}
+ if (!attr[1]) {
+ fr_strerror_printf("EAP-Sim attribute %d (no.%d) has no data", attr[0],
+ es_attribute_count);
+ return 0;
+ }
+
eapsim_attribute = attr[0];
eapsim_len = attr[1] * 4;
+ /*
+ * The length includes the 2-byte header.
+ */
if (eapsim_len > attrlen) {
fr_strerror_printf("EAP-Sim attribute %d (no.%d) has length longer than data (%d > %d)",
eapsim_attribute, es_attribute_count, eapsim_len, attrlen);
return 0;
}
- if(eapsim_len > MAX_STRING_LEN) {
- eapsim_len = MAX_STRING_LEN;
- }
- if (eapsim_len < 2) {
- fr_strerror_printf("EAP-Sim attribute %d (no.%d) has length too small", eapsim_attribute,
- es_attribute_count);
- return 0;
- }
+ newvp = fr_pair_afrom_num(r, eapsim_attribute + PW_EAP_SIM_BASE, 0);
+ if (!newvp) {
+ /*
+ * RFC 4186 Section 8.1 says 0..127 are
+ * "non-skippable". If one such
+ * attribute is found and we don't
+ * understand it, the server has to send:
+ *
+ * EAP-Request/SIM/Notification packet with an
+ * (AT_NOTIFICATION code, which implies general failure ("General
+ * failure after authentication" (0), or "General failure" (16384),
+ * depending on the phase of the exchange), which terminates the
+ * authentication exchange.
+ */
+ if (eapsim_attribute <= 127) {
+ fr_strerror_printf("Unknown mandatory attribute %d, failing",
+ eapsim_attribute);
+ return 0;
+ }
- newvp = fr_pair_afrom_num(r, eapsim_attribute+PW_EAP_SIM_BASE, 0);
- newvp->vp_length = eapsim_len-2;
- newvp->vp_octets = p = talloc_array(newvp, uint8_t, newvp->vp_length);
- memcpy(p, &attr[2], eapsim_len-2);
- fr_pair_add(&(r->vps), newvp);
- newvp = NULL;
+ } else {
+ /*
+ * It's known, ccount for header, and
+ * copy the value over.
+ */
+ newvp->vp_length = eapsim_len - 2;
+
+ newvp->vp_octets = p = talloc_array(newvp, uint8_t, newvp->vp_length);
+ memcpy(p, &attr[2], newvp->vp_length);
+ fr_pair_add(&(r->vps), newvp);
+ }
/* advance pointers, decrement length */
attr += eapsim_len;

635
freeradius-fix-python3-library-suffix.patch
View File

@ -1,635 +0,0 @@
From: Antonio Torres <antorres@redhat.com>
Date: Mon, 06 Nov 2023
Subject: Fix Python3.8+ library name suffix
Python 3.8 has removed the "m" suffix in the library name, add a check for it.
Backport of https://github.com/FreeRADIUS/freeradius-server/commit/fa837465493158257e600f28bca009ba890db863
Resolves: https://issues.redhat.com/browse/RHEL-15503
Signed-off-by: Antonio Torres <antorres@redhat.com>
---
diff --git a/src/modules/rlm_python3/configure b/src/modules/rlm_python3/configure
index f421558ac0c0..05907f12c359 100755
--- a/src/modules/rlm_python3/configure
+++ b/src/modules/rlm_python3/configure
@@ -588,7 +588,17 @@ LIBOBJS
targetname
mod_cflags
mod_ldflags
+AWK
PYTHON3_CONFIG_BIN
+pkgpyexecdir
+pyexecdir
+pkgpythondir
+pythondir
+PYTHON_PLATFORM
+PYTHON_EXEC_PREFIX
+PYTHON_PREFIX
+PYTHON_VERSION
+PYTHON
CPP
OBJEXT
EXEEXT
@@ -648,7 +658,8 @@ CFLAGS
LDFLAGS
LIBS
CPPFLAGS
-CPP'
+CPP
+PYTHON'
# Initialize some variables set by options.
@@ -1266,6 +1277,7 @@ Some influential environment variables:
CPPFLAGS (Objective) C/C++ preprocessor flags, e.g. -I<include dir> if
you have headers in a nonstandard directory <include dir>
CPP C preprocessor
+ PYTHON the Python interpreter
Use these variables to override the choices made by `configure' or to help
it to find libraries and programs with nonstandard names/locations.
@@ -1421,6 +1433,119 @@ fi
as_fn_set_status $ac_retval
} # ac_fn_c_try_cpp
+
+# ac_fn_c_try_link LINENO
+# -----------------------
+# Try to link conftest.$ac_ext, and return whether this succeeded.
+ac_fn_c_try_link ()
+{
+ as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
+ rm -f conftest.$ac_objext conftest$ac_exeext
+ if { { ac_try="$ac_link"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
+$as_echo "$ac_try_echo"; } >&5
+ (eval "$ac_link") 2>conftest.err
+ ac_status=$?
+ if test -s conftest.err; then
+ grep -v '^ *+' conftest.err >conftest.er1
+ cat conftest.er1 >&5
+ mv -f conftest.er1 conftest.err
+ fi
+ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+ test $ac_status = 0; } && {
+ test -z "$ac_c_werror_flag" ||
+ test ! -s conftest.err
+ } && test -s conftest$ac_exeext && {
+ test "$cross_compiling" = yes ||
+ test -x conftest$ac_exeext
+ }; then :
+ ac_retval=0
+else
+ $as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ ac_retval=1
+fi
+ # Delete the IPA/IPO (Inter Procedural Analysis/Optimization) information
+ # created by the PGI compiler (conftest_ipa8_conftest.oo), as it would
+ # interfere with the next link command; also delete a directory that is
+ # left behind by Apple's compiler. We do this before executing the actions.
+ rm -rf conftest.dSYM conftest_ipa8_conftest.oo
+ eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno
+ as_fn_set_status $ac_retval
+
+} # ac_fn_c_try_link
+
+# ac_fn_c_check_func LINENO FUNC VAR
+# ----------------------------------
+# Tests whether FUNC exists, setting the cache variable VAR accordingly
+ac_fn_c_check_func ()
+{
+ as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5
+$as_echo_n "checking for $2... " >&6; }
+if eval \${$3+:} false; then :
+ $as_echo_n "(cached) " >&6
+else
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
+/* Define $2 to an innocuous variant, in case <limits.h> declares $2.
+ For example, HP-UX 11i <limits.h> declares gettimeofday. */
+#define $2 innocuous_$2
+
+/* System header to define __stub macros and hopefully few prototypes,
+ which can conflict with char $2 (); below.
+ Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+ <limits.h> exists even on freestanding compilers. */
+
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+
+#undef $2
+
+/* Override any GCC internal prototype to avoid an error.
+ Use char because int might match the return type of a GCC
+ builtin and then its argument prototype would still apply. */
+#ifdef __cplusplus
+extern "C"
+#endif
+char $2 ();
+/* The GNU C library defines this for functions which it implements
+ to always fail with ENOSYS. Some functions are actually named
+ something starting with __ and the normal name is an alias. */
+#if defined __stub_$2 || defined __stub___$2
+choke me
+#endif
+
+int
+main ()
+{
+return $2 ();
+ ;
+ return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+ eval "$3=yes"
+else
+ eval "$3=no"
+fi
+rm -f core conftest.err conftest.$ac_objext \
+ conftest$ac_exeext conftest.$ac_ext
+fi
+eval ac_res=\$$3
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
+$as_echo "$ac_res" >&6; }
+ eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno
+
+} # ac_fn_c_check_func
cat >config.log <<_ACEOF
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
@@ -2705,6 +2830,267 @@ ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $
ac_compiler_gnu=$ac_cv_c_compiler_gnu
+
+
+
+
+
+ if test -n "$PYTHON"; then
+ # If the user set $PYTHON, use it and don't search something else.
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $PYTHON version is >= 3.0" >&5
+$as_echo_n "checking whether $PYTHON version is >= 3.0... " >&6; }
+ prog="import sys
+# split strings by '.' and convert to numeric. Append some zeros
+# because we need at least 4 digits for the hex conversion.
+# map returns an iterator in Python 3.0 and a list in 2.x
+minver = list(map(int, '3.0'.split('.'))) + [0, 0, 0]
+minverhex = 0
+# xrange is not present in Python 3.0 and range returns an iterator
+for i in list(range(0, 4)): minverhex = (minverhex << 8) + minver[i]
+sys.exit(sys.hexversion < minverhex)"
+ if { echo "$as_me:$LINENO: $PYTHON -c "$prog"" >&5
+ ($PYTHON -c "$prog") >&5 2>&5
+ ac_status=$?
+ echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); }; then :
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+else
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+ as_fn_error $? "Python interpreter is too old" "$LINENO" 5
+fi
+ am_display_PYTHON=$PYTHON
+ else
+ # Otherwise, try each interpreter until we find one that satisfies
+ # VERSION.
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for a Python interpreter with version >= 3.0" >&5
+$as_echo_n "checking for a Python interpreter with version >= 3.0... " >&6; }
+if ${am_cv_pathless_PYTHON+:} false; then :
+ $as_echo_n "(cached) " >&6
+else
+
+ for am_cv_pathless_PYTHON in python python2 python3 python3.9 python3.8 python3.7 python3.6 python3.5 python3.4 python3.3 python3.2 python3.1 python3.0 python2.7 python2.6 python2.5 python2.4 python2.3 python2.2 python2.1 python2.0 none; do
+ test "$am_cv_pathless_PYTHON" = none && break
+ prog="import sys
+# split strings by '.' and convert to numeric. Append some zeros
+# because we need at least 4 digits for the hex conversion.
+# map returns an iterator in Python 3.0 and a list in 2.x
+minver = list(map(int, '3.0'.split('.'))) + [0, 0, 0]
+minverhex = 0
+# xrange is not present in Python 3.0 and range returns an iterator
+for i in list(range(0, 4)): minverhex = (minverhex << 8) + minver[i]
+sys.exit(sys.hexversion < minverhex)"
+ if { echo "$as_me:$LINENO: $am_cv_pathless_PYTHON -c "$prog"" >&5
+ ($am_cv_pathless_PYTHON -c "$prog") >&5 2>&5
+ ac_status=$?
+ echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); }; then :
+ break
+fi
+ done
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $am_cv_pathless_PYTHON" >&5
+$as_echo "$am_cv_pathless_PYTHON" >&6; }
+ # Set $PYTHON to the absolute path of $am_cv_pathless_PYTHON.
+ if test "$am_cv_pathless_PYTHON" = none; then
+ PYTHON=:
+ else
+ # Extract the first word of "$am_cv_pathless_PYTHON", so it can be a program name with args.
+set dummy $am_cv_pathless_PYTHON; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_path_PYTHON+:} false; then :
+ $as_echo_n "(cached) " >&6
+else
+ case $PYTHON in
+ [\\/]* | ?:[\\/]*)
+ ac_cv_path_PYTHON="$PYTHON" # Let the user override the test with a path.
+ ;;
+ *)
+ as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+ IFS=$as_save_IFS
+ test -z "$as_dir" && as_dir=.
+ for ac_exec_ext in '' $ac_executable_extensions; do
+ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+ ac_cv_path_PYTHON="$as_dir/$ac_word$ac_exec_ext"
+ $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+ break 2
+ fi
+done
+ done
+IFS=$as_save_IFS
+
+ ;;
+esac
+fi
+PYTHON=$ac_cv_path_PYTHON
+if test -n "$PYTHON"; then
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $PYTHON" >&5
+$as_echo "$PYTHON" >&6; }
+else
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+ fi
+ am_display_PYTHON=$am_cv_pathless_PYTHON
+ fi
+
+
+ if test "$PYTHON" = :; then
+ :
+ else
+
+
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $am_display_PYTHON version" >&5
+$as_echo_n "checking for $am_display_PYTHON version... " >&6; }
+if ${am_cv_python_version+:} false; then :
+ $as_echo_n "(cached) " >&6
+else
+ am_cv_python_version=`$PYTHON -c "import sys; sys.stdout.write(sys.version[:3])"`
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $am_cv_python_version" >&5
+$as_echo "$am_cv_python_version" >&6; }
+ PYTHON_VERSION=$am_cv_python_version
+
+
+
+ PYTHON_PREFIX='${prefix}'
+
+ PYTHON_EXEC_PREFIX='${exec_prefix}'
+
+
+
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $am_display_PYTHON platform" >&5
+$as_echo_n "checking for $am_display_PYTHON platform... " >&6; }
+if ${am_cv_python_platform+:} false; then :
+ $as_echo_n "(cached) " >&6
+else
+ am_cv_python_platform=`$PYTHON -c "import sys; sys.stdout.write(sys.platform)"`
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $am_cv_python_platform" >&5
+$as_echo "$am_cv_python_platform" >&6; }
+ PYTHON_PLATFORM=$am_cv_python_platform
+
+
+ # Just factor out some code duplication.
+ am_python_setup_sysconfig="\
+import sys
+# Prefer sysconfig over distutils.sysconfig, for better compatibility
+# with python 3.x. See automake bug#10227.
+try:
+ import sysconfig
+except ImportError:
+ can_use_sysconfig = 0
+else:
+ can_use_sysconfig = 1
+# Can't use sysconfig in CPython 2.7, since it's broken in virtualenvs:
+# <https://github.com/pypa/virtualenv/issues/118>
+try:
+ from platform import python_implementation
+ if python_implementation() == 'CPython' and sys.version[:3] == '2.7':
+ can_use_sysconfig = 0
+except ImportError:
+ pass"
+
+
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $am_display_PYTHON script directory" >&5
+$as_echo_n "checking for $am_display_PYTHON script directory... " >&6; }
+if ${am_cv_python_pythondir+:} false; then :
+ $as_echo_n "(cached) " >&6
+else
+ if test "x$prefix" = xNONE
+ then
+ am_py_prefix=$ac_default_prefix
+ else
+ am_py_prefix=$prefix
+ fi
+ am_cv_python_pythondir=`$PYTHON -c "
+$am_python_setup_sysconfig
+if can_use_sysconfig:
+ sitedir = sysconfig.get_path('purelib', vars={'base':'$am_py_prefix'})
+else:
+ from distutils import sysconfig
+ sitedir = sysconfig.get_python_lib(0, 0, prefix='$am_py_prefix')
+sys.stdout.write(sitedir)"`
+ case $am_cv_python_pythondir in
+ $am_py_prefix*)
+ am__strip_prefix=`echo "$am_py_prefix" | sed 's|.|.|g'`
+ am_cv_python_pythondir=`echo "$am_cv_python_pythondir" | sed "s,^$am__strip_prefix,$PYTHON_PREFIX,"`
+ ;;
+ *)
+ case $am_py_prefix in
+ /usr|/System*) ;;
+ *)
+ am_cv_python_pythondir=$PYTHON_PREFIX/lib/python$PYTHON_VERSION/site-packages
+ ;;
+ esac
+ ;;
+ esac
+
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $am_cv_python_pythondir" >&5
+$as_echo "$am_cv_python_pythondir" >&6; }
+ pythondir=$am_cv_python_pythondir
+
+
+
+ pkgpythondir=\${pythondir}/$PACKAGE
+
+
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $am_display_PYTHON extension module directory" >&5
+$as_echo_n "checking for $am_display_PYTHON extension module directory... " >&6; }
+if ${am_cv_python_pyexecdir+:} false; then :
+ $as_echo_n "(cached) " >&6
+else
+ if test "x$exec_prefix" = xNONE
+ then
+ am_py_exec_prefix=$am_py_prefix
+ else
+ am_py_exec_prefix=$exec_prefix
+ fi
+ am_cv_python_pyexecdir=`$PYTHON -c "
+$am_python_setup_sysconfig
+if can_use_sysconfig:
+ sitedir = sysconfig.get_path('platlib', vars={'platbase':'$am_py_prefix'})
+else:
+ from distutils import sysconfig
+ sitedir = sysconfig.get_python_lib(1, 0, prefix='$am_py_prefix')
+sys.stdout.write(sitedir)"`
+ case $am_cv_python_pyexecdir in
+ $am_py_exec_prefix*)
+ am__strip_prefix=`echo "$am_py_exec_prefix" | sed 's|.|.|g'`
+ am_cv_python_pyexecdir=`echo "$am_cv_python_pyexecdir" | sed "s,^$am__strip_prefix,$PYTHON_EXEC_PREFIX,"`
+ ;;
+ *)
+ case $am_py_exec_prefix in
+ /usr|/System*) ;;
+ *)
+ am_cv_python_pyexecdir=$PYTHON_EXEC_PREFIX/lib/python$PYTHON_VERSION/site-packages
+ ;;
+ esac
+ ;;
+ esac
+
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $am_cv_python_pyexecdir" >&5
+$as_echo "$am_cv_python_pyexecdir" >&6; }
+ pyexecdir=$am_cv_python_pyexecdir
+
+
+
+ pkgpyexecdir=\${pyexecdir}/$PACKAGE
+
+
+
+ fi
+
+
+
PYTHON3_CONFIG_BIN=
# Check whether --with-rlm-python3-config-bin was given.
@@ -2771,8 +3157,6 @@ test -n "$PYTHON3_CONFIG_BIN" || PYTHON3_CONFIG_BIN="not-found"
fi
if test "x$PYTHON3_CONFIG_BIN" = xnot-found; then
- { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: python3-config not found" >&5
-$as_echo "$as_me: WARNING: python3-config not found" >&2;}
fail="$fail python3-config"
else
old_CFLAGS="$CFLAGS"
@@ -2794,7 +3178,85 @@ $as_echo "$as_me: ${PYTHON3_CONFIG_BIN}'s cflags were \"${python3_cflags}\"" >&6
{ $as_echo "$as_me:${as_lineno-$LINENO}: Sanitized cflags were \"${mod_cflags}\"" >&5
$as_echo "$as_me: Sanitized cflags were \"${mod_cflags}\"" >&6;}
- python3_ldflags=`${PYTHON3_CONFIG_BIN} --ldflags`
+ for ac_prog in gawk mawk nawk awk
+do
+ # Extract the first word of "$ac_prog", so it can be a program name with args.
+set dummy $ac_prog; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_prog_AWK+:} false; then :
+ $as_echo_n "(cached) " >&6
+else
+ if test -n "$AWK"; then
+ ac_cv_prog_AWK="$AWK" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+ IFS=$as_save_IFS
+ test -z "$as_dir" && as_dir=.
+ for ac_exec_ext in '' $ac_executable_extensions; do
+ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+ ac_cv_prog_AWK="$ac_prog"
+ $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+ break 2
+ fi
+done
+ done
+IFS=$as_save_IFS
+
+fi
+fi
+AWK=$ac_cv_prog_AWK
+if test -n "$AWK"; then
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $AWK" >&5
+$as_echo "$AWK" >&6; }
+else
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+ test -n "$AWK" && break
+done
+
+
+
+
+ # Used to indicate true or false condition
+ ax_compare_version=false
+
+ # Convert the two version strings to be compared into a format that
+ # allows a simple string comparison. The end result is that a version
+ # string of the form 1.12.5-r617 will be converted to the form
+ # 0001001200050617. In other words, each number is zero padded to four
+ # digits, and non digits are removed.
+
+ ax_compare_version_A=`echo "${PYTHON_VERSION}" | sed -e 's/\([0-9]*\)/Z\1Z/g' \
+ -e 's/Z\([0-9]\)Z/Z0\1Z/g' \
+ -e 's/Z\([0-9][0-9]\)Z/Z0\1Z/g' \
+ -e 's/Z\([0-9][0-9][0-9]\)Z/Z0\1Z/g' \
+ -e 's/[^0-9]//g'`
+
+
+ ax_compare_version_B=`echo "3.8" | sed -e 's/\([0-9]*\)/Z\1Z/g' \
+ -e 's/Z\([0-9]\)Z/Z0\1Z/g' \
+ -e 's/Z\([0-9][0-9]\)Z/Z0\1Z/g' \
+ -e 's/Z\([0-9][0-9][0-9]\)Z/Z0\1Z/g' \
+ -e 's/[^0-9]//g'`
+
+
+ ax_compare_version=`echo "x$ax_compare_version_A
+x$ax_compare_version_B" | sed 's/^ *//' | sort -r | sed "s/x${ax_compare_version_A}/true/;s/x${ax_compare_version_B}/false/;1q"`
+
+
+
+ if test "$ax_compare_version" = "true" ; then
+ EMBED="--embed"
+ fi
+
+
+ python3_ldflags=`${PYTHON3_CONFIG_BIN} --ldflags $EMBED`
{ $as_echo "$as_me:${as_lineno-$LINENO}: ${PYTHON3_CONFIG_BIN}'s ldflags were \"$python3_ldflags}\"" >&5
$as_echo "$as_me: ${PYTHON3_CONFIG_BIN}'s ldflags were \"$python3_ldflags}\"" >&6;}
@@ -2811,6 +3273,18 @@ $as_echo "$as_me: Sanitized ldflags were \"${mod_ldflags}\"" >&6;}
targetname="rlm_python3"
fi
+
+for ac_func in dl_iterate_phdr
+do :
+ ac_fn_c_check_func "$LINENO" "dl_iterate_phdr" "ac_cv_func_dl_iterate_phdr"
+if test "x$ac_cv_func_dl_iterate_phdr" = xyes; then :
+ cat >>confdefs.h <<_ACEOF
+#define HAVE_DL_ITERATE_PHDR 1
+_ACEOF
+
+fi
+done
+
else
targetname=
echo \*\*\* module rlm_python3 is disabled.
@@ -2833,11 +3307,7 @@ ac_config_headers="$ac_config_headers config.h"
-
- unset ac_cv_env_LIBS_set
- unset ac_cv_env_LIBS_value
-
- ac_config_files="$ac_config_files all.mk"
+ac_config_files="$ac_config_files all.mk"
cat >confcache <<\_ACEOF
# This file is a shell script that caches the results of configure
@@ -3417,6 +3887,7 @@ gives unlimited permission to copy, distribute and modify it."
ac_pwd='$ac_pwd'
srcdir='$srcdir'
+AWK='$AWK'
test -n "\$AWK" || AWK=awk
_ACEOF
@@ -4111,4 +4582,3 @@ if test -n "$ac_unrecognized_opts" && test "$enable_option_checking" != no; then
$as_echo "$as_me: WARNING: unrecognized options: $ac_unrecognized_opts" >&2;}
fi
-
diff --git a/src/modules/rlm_python3/configure.ac b/src/modules/rlm_python3/configure.ac
index 295a2486d2ac..698a8c1d1874 100644
--- a/src/modules/rlm_python3/configure.ac
+++ b/src/modules/rlm_python3/configure.ac
@@ -7,6 +7,7 @@ if test x$with_[]modname != xno; then
AC_PROG_CC
AC_PROG_CPP
+ AM_PATH_PYTHON([3.0],, [:])
dnl extra argument: --with-rlm-python3-config-bin
PYTHON3_CONFIG_BIN=
@@ -58,7 +59,11 @@ if test x$with_[]modname != xno; then
'`
AC_MSG_NOTICE([Sanitized cflags were \"${mod_cflags}\"])
- python3_ldflags=`${PYTHON3_CONFIG_BIN} --ldflags`
+ dnl # From python 3.8, --embed is required
+ dnl # https://bugs.python.org/issue36721
+ AX_COMPARE_VERSION(${PYTHON_VERSION}, [ge], [3.8], [EMBED="--embed"], [])
+
+ python3_ldflags=`${PYTHON3_CONFIG_BIN} --ldflags $EMBED`
AC_MSG_NOTICE([${PYTHON3_CONFIG_BIN}'s ldflags were \"$python3_ldflags}\"])
dnl # Strip -Wl,-O1... Is -O even a valid linker flag??
@@ -77,6 +82,7 @@ if test x$with_[]modname != xno; then
targetname="rlm_python3"
fi
+ AC_CHECK_FUNCS([dl_iterate_phdr])
else
targetname=
echo \*\*\* module modname is disabled.
diff --git a/src/modules/rlm_python3/rlm_python3.c b/src/modules/rlm_python3/rlm_python3.c
index df223f0f401b..5da23f4d7116 100644
--- a/src/modules/rlm_python3/rlm_python3.c
+++ b/src/modules/rlm_python3/rlm_python3.c
@@ -41,8 +41,17 @@ RCSID("$Id$")
#include <link.h>
#endif
+/*
+ * Since version 3.8, the "m" suffix is no longer available.
+ * https://bugs.python.org/issue36707
+ */
+#if PY_MINOR_VERSION >= 8
+#define LIBPYTHON_LINKER_NAME \
+ "libpython" STRINGIFY(PY_MAJOR_VERSION) "." STRINGIFY(PY_MINOR_VERSION) LT_SHREXT
+#else
#define LIBPYTHON_LINKER_NAME \
"libpython" STRINGIFY(PY_MAJOR_VERSION) "." STRINGIFY(PY_MINOR_VERSION) "m" LT_SHREXT
+#endif
static uint32_t python_instances = 0;
static void *python_dlhandle;

43
freeradius-no-buildtime-cert-gen.patch
View File

@ -4,34 +4,43 @@ Date: Wed, 8 May 2019 12:58:02 -0400
Subject: [PATCH] Don't generate certificates in reproducible builds
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
[antorres@redhat.com]: updated to work with FreeRADIUS 3.0.27
---
Make.inc.in | 5 +++++
configure | 4 ++++
configure.ac | 3 +++
raddb/all.mk | 4 ++++
4 files changed, 16 insertions(+)
diff --git a/Make.inc.in b/Make.inc.in
index 0b2cd74de8..8c623cf95c 100644
index 05f82776ff..37626b4ccd 100644
--- a/Make.inc.in
+++ b/Make.inc.in
@@ -173,3 +173,8 @@ else
@@ -107,6 +107,7 @@ USE_SHARED_LIBS = @USE_SHARED_LIBS@
bm_shared_libs = @USE_SHARED_LIBS@
USE_STATIC_LIBS = @USE_STATIC_LIBS@
bm_static_libs = @USE_STATIC_LIBS@
+ENABLE_REPRODUCIBLE_BUILDS = @ENABLE_REPRODUCIBLE_BUILDS@
STATIC_MODULES = @STATIC_MODULES@
LIBREADLINE = @LIBREADLINE@
@@ -173,8 +174,6 @@ else
TESTBINDIR = ./$(BUILD_DIR)/bin
TESTBIN = ./$(BUILD_DIR)/bin
endif
+
+#
+# With reproducible builds, do not generate certificates during installation
+#
+ENABLE_REPRODUCIBLE_BUILDS = @ENABLE_REPRODUCIBLE_BUILDS@
-
-
#
# For creating documentation via doc/all.mk
#
diff --git a/configure b/configure
index c2c599c92b..3d4403a844 100755
index f77471c768..3e6a078a09 100755
--- a/configure
+++ b/configure
@@ -655,6 +655,7 @@ RUSERS
@@ -653,6 +653,7 @@ ACLOCAL
RUSERS
SNMPWALK
SNMPGET
PERL
+ENABLE_REPRODUCIBLE_BUILDS
openssl_version_check_config
WITH_DHCP
@ -61,10 +70,10 @@ index c2c599c92b..3d4403a844 100755
# Extract the first word of "perl", so it can be a program name with args.
set dummy perl; ac_word=$2
diff --git a/configure.ac b/configure.ac
index a7abf0025a..35b013f4af 100644
index ad8bc8cdda..d093b1d13e 100644
--- a/configure.ac
+++ b/configure.ac
@@ -619,6 +619,7 @@ AC_SUBST([openssl_version_check_config])
@@ -725,6 +725,7 @@ AC_SUBST([openssl_version_check_config])
dnl #
dnl # extra argument: --enable-reproducible-builds
dnl #
@ -72,7 +81,7 @@ index a7abf0025a..35b013f4af 100644
AC_ARG_ENABLE(reproducible-builds,
[AS_HELP_STRING([--enable-reproducible-builds],
[ensure the build does not change each time])],
@@ -630,8 +631,10 @@ AC_ARG_ENABLE(reproducible-builds,
@@ -736,8 +737,10 @@ AC_ARG_ENABLE(reproducible-builds,
;;
*)
reproducible_builds=no
@ -81,10 +90,8 @@ index a7abf0025a..35b013f4af 100644
)
+AC_SUBST(ENABLE_REPRODUCIBLE_BUILDS)
dnl #############################################################
diff --git a/raddb/all.mk b/raddb/all.mk
index c966edd657..c8e976a499 100644
dnl #
dnl # Enable the -fsanitize=fuzzer and link in the address sanitizer
--- a/raddb/all.mk
+++ b/raddb/all.mk
@@ -124,7 +124,11 @@ $(R)$(raddbdir)/users: $(R)$(modconfdir)/files/authorize

28
freeradius-no-sqlippool-tool.patch Normal file
View File

@ -0,0 +1,28 @@
From: Antonio Torres <antorres@redhat.com>
Date: Wed, 5 Mar 2025
Subject: Remove sqlippool tool
This script relies on a Perl package, perl-Net-IP, that won't be available.
Remove it from build script and let the user pull it manually instead, as it's
just a helper script for SQL module users.
---
diff --git a/scripts/all.mk b/scripts/all.mk
index a6e90aa3eb..517adb8590 100644
--- a/scripts/all.mk
+++ b/scripts/all.mk
@@ -1,5 +1,5 @@
install: $(R)$(sbindir)/rc.radiusd $(R)$(sbindir)/raddebug \
- $(R)$(bindir)/radsqlrelay $(R)$(bindir)/radcrypt $(R)$(bindir)/rlm_sqlippool_tool
+ $(R)$(bindir)/radsqlrelay $(R)$(bindir)/radcrypt
$(R)$(sbindir)/rc.radiusd: scripts/rc.radiusd
@mkdir -p $(dir $@)
@@ -16,7 +16,3 @@ $(R)$(bindir)/radsqlrelay: scripts/sql/radsqlrelay
$(R)$(bindir)/radcrypt: scripts/cryptpasswd
@mkdir -p $(dir $@)
@$(INSTALL) -m 755 $< $@
-
-$(R)$(bindir)/rlm_sqlippool_tool: scripts/sql/rlm_sqlippool_tool
- @mkdir -p $(dir $@)
- @$(INSTALL) -m 755 $< $@

79
freeradius.spec
View File

@ -1,7 +1,7 @@
Summary: High-performance and highly configurable free RADIUS server
Name: freeradius
Version: 3.0.21
Release: 45%{?dist}
Version: 3.0.27
Release: 1%{?dist}
License: GPLv2+ and LGPLv2+
URL: http://www.freeradius.org/
@ -26,13 +26,9 @@ Patch2: freeradius-Use-system-crypto-policy-by-default.patch
Patch3: freeradius-bootstrap-create-only.patch
Patch4: freeradius-no-buildtime-cert-gen.patch
Patch5: freeradius-bootstrap-make-permissions.patch
Patch6: freeradius-Fix-resource-hard-limit-error.patch
Patch7: freeradius-ldap-infinite-timeout-on-starttls.patch
Patch8: freeradius-Backport-OpenSSL3-fixes.patch
Patch9: freeradius-bootstrap-pass-noenc-to-certificate-generation.patch
Patch10: freeradius-fix-crash-unknown-eap-sim.patch
Patch11: freeradius-fix-crash-on-invalid-abinary-data.patch
Patch12: freeradius-fix-python3-library-suffix.patch
Patch6: freeradius-ldap-infinite-timeout-on-starttls.patch
Patch7: freeradius-bootstrap-pass-noenc-to-certificate-generation.patch
Patch8: freeradius-no-sqlippool-tool.patch
%global docdir %{?_pkgdocdir}%{!?_pkgdocdir:%{_docdir}/%{name}-%{version}}
@ -220,10 +216,6 @@ This plugin provides the REST support for the FreeRADIUS server project.
%patch6 -p1
%patch7 -p1
%patch8 -p1
%patch9 -p1
%patch10 -p1
%patch11 -p1
%patch12 -p1
%build
# Force compile/link options, extra security for network facing daemon
@ -435,7 +427,7 @@ EOF
%dir %attr(770,root,radiusd) /etc/raddb/certs
%config(noreplace) /etc/raddb/certs/Makefile
%config(noreplace) /etc/raddb/certs/passwords.mk
/etc/raddb/certs/README
/etc/raddb/certs/README.md
%config(noreplace) /etc/raddb/certs/xpextensions
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/certs/*.cnf
%attr(750,root,radiusd) /etc/raddb/certs/bootstrap
@ -483,6 +475,9 @@ EOF
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/tls
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/channel_bindings
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/challenge
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/google-ldap-auth
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/resource-check
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/totp
# sites-enabled
# symlink: /etc/raddb/sites-enabled/xxx -> ../sites-available/xxx
@ -496,7 +491,6 @@ EOF
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/always
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/attr_filter
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/cache
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/cache_eap
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/chap
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/counter
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/cui
@ -550,13 +544,19 @@ EOF
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/utf8
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/wimax
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/yubikey
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/dhcp_files
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/dhcp_passwd
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/dhcp_sql
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/ldap_google
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/sql_map
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/totp
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/cache_auth
# mods-enabled
# symlink: /etc/raddb/mods-enabled/xxx -> ../mods-available/xxx
%dir %attr(750,root,radiusd) /etc/raddb/mods-enabled
%config(missingok) /etc/raddb/mods-enabled/always
%config(missingok) /etc/raddb/mods-enabled/attr_filter
%config(missingok) /etc/raddb/mods-enabled/cache_eap
%config(missingok) /etc/raddb/mods-enabled/chap
%config(missingok) /etc/raddb/mods-enabled/date
%config(missingok) /etc/raddb/mods-enabled/detail
@ -584,6 +584,7 @@ EOF
%config(missingok) /etc/raddb/mods-enabled/unix
%config(missingok) /etc/raddb/mods-enabled/unpack
%config(missingok) /etc/raddb/mods-enabled/utf8
%config(missingok) /etc/raddb/mods-enabled/totp
# policy
%dir %attr(750,root,radiusd) /etc/raddb/policy.d
@ -638,7 +639,6 @@ EOF
%{_libdir}/freeradius/rlm_eap.so
%{_libdir}/freeradius/rlm_eap_fast.so
%{_libdir}/freeradius/rlm_eap_gtc.so
%{_libdir}/freeradius/rlm_eap_leap.so
%{_libdir}/freeradius/rlm_eap_md5.so
%{_libdir}/freeradius/rlm_eap_mschapv2.so
%{_libdir}/freeradius/rlm_eap_peap.so
@ -675,6 +675,8 @@ EOF
%{_libdir}/freeradius/rlm_utf8.so
%{_libdir}/freeradius/rlm_wimax.so
%{_libdir}/freeradius/rlm_yubikey.so
%{_libdir}/freeradius/rlm_sql_map.so
%{_libdir}/freeradius/rlm_totp.so
# main man pages
%doc %{_mandir}/man5/clients.conf.5.gz
@ -729,6 +731,7 @@ EOF
%doc %{_mandir}/man8/radsniff.8.gz
%doc %{_mandir}/man8/radsqlrelay.8.gz
%doc %{_mandir}/man8/rlm_ippool_tool.8.gz
%doc %{_mandir}/man8/rlm_sqlippool_tool.8.gz
%files devel
/usr/include/freeradius
@ -763,6 +766,7 @@ EOF
%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/counter/mysql
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/mysql/dailycounter.conf
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/mysql/expire_on_login.conf
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/mysql/weeklycounter.conf
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/mysql/monthlycounter.conf
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/mysql/noresetcounter.conf
@ -770,14 +774,49 @@ EOF
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/cui/mysql/queries.conf
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/cui/mysql/schema.sql
%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/dhcp/mssql
%attr(640,root,radiusd) /etc/raddb/mods-config/sql/dhcp/mssql/queries.conf
%attr(640,root,radiusd) /etc/raddb/mods-config/sql/dhcp/mssql/schema.sql
%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/dhcp/mysql
%attr(640,root,radiusd) /etc/raddb/mods-config/sql/dhcp/mysql/queries.conf
%attr(640,root,radiusd) /etc/raddb/mods-config/sql/dhcp/mysql/schema.sql
%attr(640,root,radiusd) /etc/raddb/mods-config/sql/dhcp/mysql/setup.sql
%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/dhcp/oracle
%attr(640,root,radiusd) /etc/raddb/mods-config/sql/dhcp/oracle/queries.conf
%attr(640,root,radiusd) /etc/raddb/mods-config/sql/dhcp/oracle/schema.sql
%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/dhcp/postgresql
%attr(640,root,radiusd) /etc/raddb/mods-config/sql/dhcp/postgresql/queries.conf
%attr(640,root,radiusd) /etc/raddb/mods-config/sql/dhcp/postgresql/schema.sql
%attr(640,root,radiusd) /etc/raddb/mods-config/sql/dhcp/postgresql/setup.sql
%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/dhcp/sqlite
%attr(640,root,radiusd) /etc/raddb/mods-config/sql/dhcp/sqlite/queries.conf
%attr(640,root,radiusd) /etc/raddb/mods-config/sql/dhcp/sqlite/schema.sql
%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/ippool/mysql
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool/mysql/queries.conf
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool/mysql/schema.sql
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool/mysql/procedure.sql
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool/mysql/procedure-no-skip-locked.sql
%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/ippool-dhcp/mysql
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool-dhcp/mysql/queries.conf
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool-dhcp/mysql/schema.sql
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool-dhcp/mysql/procedure.sql
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool-dhcp/mysql/procedure-no-skip-locked.sql
%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/ippool-dhcp/mssql
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool-dhcp/mssql/procedure.sql
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool-dhcp/mssql/queries.conf
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool-dhcp/mssql/schema.sql
%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/ippool-dhcp/postgresql
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool-dhcp/postgresql/procedure.sql
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool-dhcp/postgresql/queries.conf
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool-dhcp/postgresql/schema.sql
%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/main/mysql
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/mysql/setup.sql
@ -803,6 +842,7 @@ EOF
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/postgresql/expire_on_login.conf
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/postgresql/monthlycounter.conf
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/postgresql/noresetcounter.conf
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/postgresql/weeklycounter.conf
%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/cui/postgresql
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/cui/postgresql/queries.conf
@ -831,6 +871,7 @@ EOF
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/sqlite/expire_on_login.conf
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/sqlite/monthlycounter.conf
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/sqlite/noresetcounter.conf
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/sqlite/weeklycounter.conf
%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/cui/sqlite
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/cui/sqlite/queries.conf
@ -864,6 +905,10 @@ EOF
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/rest
%changelog
* Tue Jul 08 2025 Antonio Torres <antorres@redhat.com> - 3.0.27-1
- Rebase to upstream 3.0.27
Resolves: RHEL-102101
* Mon May 26 2025 Antonio Torres <antorres@redhat.com> - 3.0.21-45
- Expose ca_path_reload_interval in configuration files
Resolves: RHEL-93552

2
sources
View File

@ -1 +1 @@
SHA512 (freeradius-server-3.0.21.tar.bz2) = 18cc142caad2143e30bc54242e3824b5f659f2f6e8f3401c71ce3b9063de0bd8d206d84822c4ad1d99457dfd7121333d4accd0c8340fcfc6b33b8fbe24a31729
SHA512 (freeradius-server-3.0.27.tar.bz2) = ece74af1b79f5725c4cf03c42c59d81acc371a51b341b23730c81f272c47f7a402041d630cb0f1749fb520c8cfcc9921e414b0f6c2102a22e8687a11997dd7b5