diff --git a/.gitignore b/.gitignore index 2f5a9d8..b3736ed 100644 --- a/.gitignore +++ b/.gitignore @@ -34,3 +34,4 @@ freeradius-*.src.rpm /freeradius-server-3.0.19.tar.bz2 /freeradius-server-3.0.20.tar.bz2 /freeradius-server-3.0.21.tar.bz2 +/freeradius-server-3.0.27.tar.bz2 diff --git a/freeradius-Fix-resource-hard-limit-error.patch b/freeradius-Fix-resource-hard-limit-error.patch deleted file mode 100644 index 800c06c..0000000 --- a/freeradius-Fix-resource-hard-limit-error.patch +++ /dev/null @@ -1,32 +0,0 @@ -commit 1ce4508c92493cf03ea1b3c42e83540b387884fa -Author: Antonio Torres -Date: Fri Jul 2 07:12:48 2021 -0400 -Subject: [PATCH] debug: don't set resource hard limit to zero - - Setting the resource hard limit to zero is irreversible, meaning if it - is set to zero then there is no way to set it higher. This means - enabling core dump is not possible, since setting a new resource limit - for RLIMIT_CORE would fail. By only setting the soft limit to zero, we - can disable and enable core dumps without failures. - - This fix is present in both main and 3.0.x upstream branches. - - Ticket in RHEL Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1977572 - Signed-off-by: Antonio Torres antorres@redhat.com ---- - src/lib/debug.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/lib/debug.c b/src/lib/debug.c -index 576bcb2a65..6330c9cb66 100644 ---- a/src/lib/debug.c -+++ b/src/lib/debug.c -@@ -599,7 +599,7 @@ int fr_set_dumpable(bool allow_core_dumps) - struct rlimit no_core; - - no_core.rlim_cur = 0; -- no_core.rlim_max = 0; -+ no_core.rlim_max = core_limits.rlim_max; - - if (setrlimit(RLIMIT_CORE, &no_core) < 0) { - fr_strerror_printf("Failed disabling core dumps: %s", fr_syserror(errno)); diff --git a/freeradius-Use-system-crypto-policy-by-default.patch b/freeradius-Use-system-crypto-policy-by-default.patch index 199e583..9e513b5 100644 --- a/freeradius-Use-system-crypto-policy-by-default.patch +++ b/freeradius-Use-system-crypto-policy-by-default.patch @@ -4,6 +4,8 @@ Date: Wed, 8 May 2019 10:16:31 -0400 Subject: [PATCH] Use system-provided crypto-policies by default Signed-off-by: Alexander Scheel + +[antorres@redhat.com]: updated to work with FreeRADIUS 3.0.27 --- raddb/mods-available/eap | 4 ++-- raddb/mods-available/inner-eap | 2 +- @@ -12,21 +14,21 @@ Signed-off-by: Alexander Scheel 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/raddb/mods-available/eap b/raddb/mods-available/eap -index 36849e10f2..b28c0f19c6 100644 +index d6780c3892..25f4687cb6 100644 --- a/raddb/mods-available/eap +++ b/raddb/mods-available/eap -@@ -368,7 +368,7 @@ eap { - # - # For EAP-FAST, use "ALL:!EXPORT:!eNULL:!SSLv2" +@@ -405,7 +405,7 @@ eap { + # TLS cipher suites. The format is listed + # in "man 1 ciphers". # - cipher_list = "DEFAULT" + cipher_list = "PROFILE=SYSTEM" # If enabled, OpenSSL will use server cipher list # (possibly defined by cipher_list option above) -@@ -912,7 +912,7 @@ eap { - # Note - for OpenSSL 1.1.0 and above you may need - # to add ":@SECLEVEL=0" +@@ -1080,7 +1080,7 @@ eap { + # "DEFAULT" as "DEFAULT" contains "!aNULL" so instead it is + # recommended "ALL:!EXPORT:!eNULL:!SSLv2" is used # - # cipher_list = "ALL:!EXPORT:!eNULL:!SSLv2" + # cipher_list = "PROFILE=SYSTEM" @@ -47,23 +49,23 @@ index 576eb7739e..ffa07188e2 100644 # You may want to set a very small fragment size. # The TLS data here needs to go inside of the diff --git a/raddb/sites-available/abfab-tls b/raddb/sites-available/abfab-tls -index 92f1d6330e..cd69b3905a 100644 +index b8d0626bbe..073b2933c2 100644 --- a/raddb/sites-available/abfab-tls +++ b/raddb/sites-available/abfab-tls -@@ -19,7 +19,7 @@ listen { +@@ -20,7 +20,7 @@ listen { dh_file = ${certdir}/dh fragment_size = 8192 ca_path = ${cadir} - cipher_list = "DEFAULT" + cipher_list = "PROFILE=SYSTEM" - cache { enable = no + lifetime = 24 # hours diff --git a/raddb/sites-available/tls b/raddb/sites-available/tls -index bbc761b1c5..83cd35b851 100644 +index 257770777d..a24e433122 100644 --- a/raddb/sites-available/tls +++ b/raddb/sites-available/tls -@@ -215,7 +215,7 @@ listen { +@@ -288,7 +288,7 @@ listen { # Set this option to specify the allowed # TLS cipher suites. The format is listed # in "man 1 ciphers". @@ -72,7 +74,7 @@ index bbc761b1c5..83cd35b851 100644 # If enabled, OpenSSL will use server cipher list # (possibly defined by cipher_list option above) -@@ -517,7 +517,7 @@ home_server tls { +@@ -679,7 +679,7 @@ home_server tls { # Set this option to specify the allowed # TLS cipher suites. The format is listed # in "man 1 ciphers". @@ -81,6 +83,3 @@ index bbc761b1c5..83cd35b851 100644 } } --- -2.21.0 - diff --git a/freeradius-bootstrap-pass-noenc-to-certificate-generation.patch b/freeradius-bootstrap-pass-noenc-to-certificate-generation.patch index b3dc68e..70b19e2 100644 --- a/freeradius-bootstrap-pass-noenc-to-certificate-generation.patch +++ b/freeradius-bootstrap-pass-noenc-to-certificate-generation.patch @@ -13,13 +13,14 @@ Signed-off-by: Antonio Torres [antorres@redhat.com]: patch adapted to work together with freeradius-bootstrap-create-only.patch. In bootstrap diff, -f is changed to -e in conditionals. +[antorres@redhat.com]: updated to work with FreeRADIUS 3.0.27 --- raddb/certs/Makefile | 20 ++++++++++++++++---- raddb/certs/bootstrap | 6 +++--- 2 files changed, 19 insertions(+), 7 deletions(-) diff --git a/raddb/certs/Makefile b/raddb/certs/Makefile -index 5cbfd467ce..cb10394ec3 100644 +index c9fbc9e864..33eeef6640 100644 --- a/raddb/certs/Makefile +++ b/raddb/certs/Makefile @@ -60,6 +60,8 @@ passwords.mk: server.cnf ca.cnf client.cnf inner-server.cnf @@ -60,7 +61,7 @@ index 5cbfd467ce..cb10394ec3 100644 + $(OPENSSL) req -new -out server.csr -keyout server.key -config ./server.cnf -noenc chmod g+r server.key - server.crt: server.csr ca.key ca.pem + server.crt: ca.key ca.pem server.csr @@ -101,6 +107,8 @@ server.p12: server.crt server.pem: server.p12 $(OPENSSL) pkcs12 -in server.p12 -out server.pem -passin pass:$(PASSWORD_SERVER) -passout pass:$(PASSWORD_SERVER) @@ -78,8 +79,8 @@ index 5cbfd467ce..cb10394ec3 100644 + $(OPENSSL) req -new -out client.csr -keyout client.key -config ./client.cnf -noenc chmod g+r client.key - client.crt: client.csr ca.pem ca.key -@@ -127,6 +135,8 @@ client.pem: client.p12 + client.crt: ca.key ca.pem client.csr +@@ -128,6 +136,8 @@ client.pem: client.p12 $(OPENSSL) pkcs12 -in client.p12 -out client.pem -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT) chmod g+r client.pem cp client.pem $(USER_NAME).pem @@ -88,7 +89,7 @@ index 5cbfd467ce..cb10394ec3 100644 .PHONY: client.vrfy client.vrfy: ca.pem client.pem -@@ -139,7 +149,7 @@ client.vrfy: ca.pem client.pem +@@ -140,7 +150,7 @@ client.vrfy: ca.pem client.pem # ###################################################################### inner-server.csr inner-server.key: inner-server.cnf @@ -96,8 +97,8 @@ index 5cbfd467ce..cb10394ec3 100644 + $(OPENSSL) req -new -out inner-server.csr -keyout inner-server.key -config ./inner-server.cnf -noenc chmod g+r inner-server.key - inner-server.crt: inner-server.csr ca.key ca.pem -@@ -152,6 +162,8 @@ inner-server.p12: inner-server.crt + inner-server.crt: ca.key ca.pem inner-server.csr +@@ -153,6 +163,8 @@ inner-server.p12: inner-server.crt inner-server.pem: inner-server.p12 $(OPENSSL) pkcs12 -in inner-server.p12 -out inner-server.pem -passin pass:$(PASSWORD_INNER) -passout pass:$(PASSWORD_INNER) chmod g+r inner-server.pem diff --git a/freeradius-fix-crash-on-invalid-abinary-data.patch b/freeradius-fix-crash-on-invalid-abinary-data.patch deleted file mode 100644 index 862c6b5..0000000 --- a/freeradius-fix-crash-on-invalid-abinary-data.patch +++ /dev/null @@ -1,47 +0,0 @@ -From: Antonio Torres -Date: Fri, 09 Dec 2022 -Subject: Fix crash on invalid abinary data - -A malicious RADIUS client or home server can send a malformed abinary -attribute which can cause the server to crash. - -Backport of https://github.com/FreeRADIUS/freeradius-server/commit/0ec2b39d260e - -Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2151707 -Signed-off-by: Antonio Torres ---- -diff --git a/src/lib/filters.c b/src/lib/filters.c -index 4868cd385d9f..3f3b63daeef3 100644 ---- a/src/lib/filters.c -+++ b/src/lib/filters.c -@@ -1205,13 +1205,19 @@ void print_abinary(char *out, size_t outlen, uint8_t const *data, size_t len, in - } - } - } else if (filter->type == RAD_FILTER_GENERIC) { -- int count; -+ size_t count, masklen; -+ -+ masklen = ntohs(filter->u.generic.len); -+ if (masklen >= sizeof(filter->u.generic.mask)) { -+ *p = '\0'; -+ return; -+ } - - i = snprintf(p, outlen, " %u ", (unsigned int) ntohs(filter->u.generic.offset)); - p += i; - - /* show the mask */ -- for (count = 0; count < ntohs(filter->u.generic.len); count++) { -+ for (count = 0; count < masklen; count++) { - i = snprintf(p, outlen, "%02x", filter->u.generic.mask[count]); - p += i; - outlen -= i; -@@ -1222,7 +1228,7 @@ void print_abinary(char *out, size_t outlen, uint8_t const *data, size_t len, in - outlen--; - - /* show the value */ -- for (count = 0; count < ntohs(filter->u.generic.len); count++) { -+ for (count = 0; count < masklen; count++) { - i = snprintf(p, outlen, "%02x", filter->u.generic.value[count]); - p += i; - outlen -= i; diff --git a/freeradius-fix-crash-unknown-eap-sim.patch b/freeradius-fix-crash-unknown-eap-sim.patch deleted file mode 100644 index d2b7956..0000000 --- a/freeradius-fix-crash-unknown-eap-sim.patch +++ /dev/null @@ -1,115 +0,0 @@ -From: Antonio Torres -Date: Fri, 09 Dec 2022 -Subject: Fix crash on unknown option in EAP-SIM - -When an EAP-SIM supplicant sends an unknown SIM option, the server will try to -look that option up in the internal dictionaries. This lookup will fail, but the -SIM code will not check for that failure. Instead, it will dereference a NULL -pointer, and cause the server to crash. - -Backport of: -https://github.com/FreeRADIUS/freeradius-server/commit/f1cdbb33ec61c4a64a -https://github.com/FreeRADIUS/freeradius-server/commit/71128cac3ee236a88a05cc7bddd43e43a88a3089 - -Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2151705 -Signed-off-by: Antonio Torres ---- -diff --git a/src/modules/rlm_eap/libeap/eapsimlib.c b/src/modules/rlm_eap/libeap/eapsimlib.c -index cf1e8a7dd92..e438a844eab 100644 ---- a/src/modules/rlm_eap/libeap/eapsimlib.c -+++ b/src/modules/rlm_eap/libeap/eapsimlib.c -@@ -307,42 +307,77 @@ int unmap_eapsim_basictypes(RADIUS_PACKET *r, - newvp->vp_length = 1; - fr_pair_add(&(r->vps), newvp); - -+ /* -+ * EAP-SIM has a 1 octet of subtype, and 2 octets -+ * reserved. -+ */ - attr += 3; - attrlen -= 3; - -- /* now, loop processing each attribute that we find */ -- while(attrlen > 0) { -+ /* -+ * Loop over each attribute. The format is: -+ * -+ * 1 octet of type -+ * 1 octet of length (value 1..255) -+ * ((4 * length) - 2) octets of data. -+ */ -+ while (attrlen > 0) { - uint8_t *p; - -- if(attrlen < 2) { -+ if (attrlen < 2) { - fr_strerror_printf("EAP-Sim attribute %d too short: %d < 2", es_attribute_count, attrlen); - return 0; - } - -+ if (!attr[1]) { -+ fr_strerror_printf("EAP-Sim attribute %d (no.%d) has no data", attr[0], -+ es_attribute_count); -+ return 0; -+ } -+ - eapsim_attribute = attr[0]; - eapsim_len = attr[1] * 4; - -+ /* -+ * The length includes the 2-byte header. -+ */ - if (eapsim_len > attrlen) { - fr_strerror_printf("EAP-Sim attribute %d (no.%d) has length longer than data (%d > %d)", - eapsim_attribute, es_attribute_count, eapsim_len, attrlen); - return 0; - } - -- if(eapsim_len > MAX_STRING_LEN) { -- eapsim_len = MAX_STRING_LEN; -- } -- if (eapsim_len < 2) { -- fr_strerror_printf("EAP-Sim attribute %d (no.%d) has length too small", eapsim_attribute, -- es_attribute_count); -- return 0; -- } -+ newvp = fr_pair_afrom_num(r, eapsim_attribute + PW_EAP_SIM_BASE, 0); -+ if (!newvp) { -+ /* -+ * RFC 4186 Section 8.1 says 0..127 are -+ * "non-skippable". If one such -+ * attribute is found and we don't -+ * understand it, the server has to send: -+ * -+ * EAP-Request/SIM/Notification packet with an -+ * (AT_NOTIFICATION code, which implies general failure ("General -+ * failure after authentication" (0), or "General failure" (16384), -+ * depending on the phase of the exchange), which terminates the -+ * authentication exchange. -+ */ -+ if (eapsim_attribute <= 127) { -+ fr_strerror_printf("Unknown mandatory attribute %d, failing", -+ eapsim_attribute); -+ return 0; -+ } - -- newvp = fr_pair_afrom_num(r, eapsim_attribute+PW_EAP_SIM_BASE, 0); -- newvp->vp_length = eapsim_len-2; -- newvp->vp_octets = p = talloc_array(newvp, uint8_t, newvp->vp_length); -- memcpy(p, &attr[2], eapsim_len-2); -- fr_pair_add(&(r->vps), newvp); -- newvp = NULL; -+ } else { -+ /* -+ * It's known, ccount for header, and -+ * copy the value over. -+ */ -+ newvp->vp_length = eapsim_len - 2; -+ -+ newvp->vp_octets = p = talloc_array(newvp, uint8_t, newvp->vp_length); -+ memcpy(p, &attr[2], newvp->vp_length); -+ fr_pair_add(&(r->vps), newvp); -+ } - - /* advance pointers, decrement length */ - attr += eapsim_len; diff --git a/freeradius-fix-python3-library-suffix.patch b/freeradius-fix-python3-library-suffix.patch deleted file mode 100644 index b6d6ab3..0000000 --- a/freeradius-fix-python3-library-suffix.patch +++ /dev/null @@ -1,635 +0,0 @@ -From: Antonio Torres -Date: Mon, 06 Nov 2023 -Subject: Fix Python3.8+ library name suffix - -Python 3.8 has removed the "m" suffix in the library name, add a check for it. - -Backport of https://github.com/FreeRADIUS/freeradius-server/commit/fa837465493158257e600f28bca009ba890db863 - -Resolves: https://issues.redhat.com/browse/RHEL-15503 -Signed-off-by: Antonio Torres ---- -diff --git a/src/modules/rlm_python3/configure b/src/modules/rlm_python3/configure -index f421558ac0c0..05907f12c359 100755 ---- a/src/modules/rlm_python3/configure -+++ b/src/modules/rlm_python3/configure -@@ -588,7 +588,17 @@ LIBOBJS - targetname - mod_cflags - mod_ldflags -+AWK - PYTHON3_CONFIG_BIN -+pkgpyexecdir -+pyexecdir -+pkgpythondir -+pythondir -+PYTHON_PLATFORM -+PYTHON_EXEC_PREFIX -+PYTHON_PREFIX -+PYTHON_VERSION -+PYTHON - CPP - OBJEXT - EXEEXT -@@ -648,7 +658,8 @@ CFLAGS - LDFLAGS - LIBS - CPPFLAGS --CPP' -+CPP -+PYTHON' - - - # Initialize some variables set by options. -@@ -1266,6 +1277,7 @@ Some influential environment variables: - CPPFLAGS (Objective) C/C++ preprocessor flags, e.g. -I if - you have headers in a nonstandard directory - CPP C preprocessor -+ PYTHON the Python interpreter - - Use these variables to override the choices made by `configure' or to help - it to find libraries and programs with nonstandard names/locations. -@@ -1421,6 +1433,119 @@ fi - as_fn_set_status $ac_retval - - } # ac_fn_c_try_cpp -+ -+# ac_fn_c_try_link LINENO -+# ----------------------- -+# Try to link conftest.$ac_ext, and return whether this succeeded. -+ac_fn_c_try_link () -+{ -+ as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack -+ rm -f conftest.$ac_objext conftest$ac_exeext -+ if { { ac_try="$ac_link" -+case "(($ac_try" in -+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; -+ *) ac_try_echo=$ac_try;; -+esac -+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" -+$as_echo "$ac_try_echo"; } >&5 -+ (eval "$ac_link") 2>conftest.err -+ ac_status=$? -+ if test -s conftest.err; then -+ grep -v '^ *+' conftest.err >conftest.er1 -+ cat conftest.er1 >&5 -+ mv -f conftest.er1 conftest.err -+ fi -+ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 -+ test $ac_status = 0; } && { -+ test -z "$ac_c_werror_flag" || -+ test ! -s conftest.err -+ } && test -s conftest$ac_exeext && { -+ test "$cross_compiling" = yes || -+ test -x conftest$ac_exeext -+ }; then : -+ ac_retval=0 -+else -+ $as_echo "$as_me: failed program was:" >&5 -+sed 's/^/| /' conftest.$ac_ext >&5 -+ -+ ac_retval=1 -+fi -+ # Delete the IPA/IPO (Inter Procedural Analysis/Optimization) information -+ # created by the PGI compiler (conftest_ipa8_conftest.oo), as it would -+ # interfere with the next link command; also delete a directory that is -+ # left behind by Apple's compiler. We do this before executing the actions. -+ rm -rf conftest.dSYM conftest_ipa8_conftest.oo -+ eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno -+ as_fn_set_status $ac_retval -+ -+} # ac_fn_c_try_link -+ -+# ac_fn_c_check_func LINENO FUNC VAR -+# ---------------------------------- -+# Tests whether FUNC exists, setting the cache variable VAR accordingly -+ac_fn_c_check_func () -+{ -+ as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack -+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5 -+$as_echo_n "checking for $2... " >&6; } -+if eval \${$3+:} false; then : -+ $as_echo_n "(cached) " >&6 -+else -+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext -+/* end confdefs.h. */ -+/* Define $2 to an innocuous variant, in case declares $2. -+ For example, HP-UX 11i declares gettimeofday. */ -+#define $2 innocuous_$2 -+ -+/* System header to define __stub macros and hopefully few prototypes, -+ which can conflict with char $2 (); below. -+ Prefer to if __STDC__ is defined, since -+ exists even on freestanding compilers. */ -+ -+#ifdef __STDC__ -+# include -+#else -+# include -+#endif -+ -+#undef $2 -+ -+/* Override any GCC internal prototype to avoid an error. -+ Use char because int might match the return type of a GCC -+ builtin and then its argument prototype would still apply. */ -+#ifdef __cplusplus -+extern "C" -+#endif -+char $2 (); -+/* The GNU C library defines this for functions which it implements -+ to always fail with ENOSYS. Some functions are actually named -+ something starting with __ and the normal name is an alias. */ -+#if defined __stub_$2 || defined __stub___$2 -+choke me -+#endif -+ -+int -+main () -+{ -+return $2 (); -+ ; -+ return 0; -+} -+_ACEOF -+if ac_fn_c_try_link "$LINENO"; then : -+ eval "$3=yes" -+else -+ eval "$3=no" -+fi -+rm -f core conftest.err conftest.$ac_objext \ -+ conftest$ac_exeext conftest.$ac_ext -+fi -+eval ac_res=\$$3 -+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 -+$as_echo "$ac_res" >&6; } -+ eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno -+ -+} # ac_fn_c_check_func - cat >config.log <<_ACEOF - This file contains any messages produced by compilers while - running configure, to aid debugging if configure makes a mistake. -@@ -2705,6 +2830,267 @@ ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $ - ac_compiler_gnu=$ac_cv_c_compiler_gnu - - -+ -+ -+ -+ -+ -+ if test -n "$PYTHON"; then -+ # If the user set $PYTHON, use it and don't search something else. -+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $PYTHON version is >= 3.0" >&5 -+$as_echo_n "checking whether $PYTHON version is >= 3.0... " >&6; } -+ prog="import sys -+# split strings by '.' and convert to numeric. Append some zeros -+# because we need at least 4 digits for the hex conversion. -+# map returns an iterator in Python 3.0 and a list in 2.x -+minver = list(map(int, '3.0'.split('.'))) + [0, 0, 0] -+minverhex = 0 -+# xrange is not present in Python 3.0 and range returns an iterator -+for i in list(range(0, 4)): minverhex = (minverhex << 8) + minver[i] -+sys.exit(sys.hexversion < minverhex)" -+ if { echo "$as_me:$LINENO: $PYTHON -c "$prog"" >&5 -+ ($PYTHON -c "$prog") >&5 2>&5 -+ ac_status=$? -+ echo "$as_me:$LINENO: \$? = $ac_status" >&5 -+ (exit $ac_status); }; then : -+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 -+$as_echo "yes" >&6; } -+else -+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -+$as_echo "no" >&6; } -+ as_fn_error $? "Python interpreter is too old" "$LINENO" 5 -+fi -+ am_display_PYTHON=$PYTHON -+ else -+ # Otherwise, try each interpreter until we find one that satisfies -+ # VERSION. -+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for a Python interpreter with version >= 3.0" >&5 -+$as_echo_n "checking for a Python interpreter with version >= 3.0... " >&6; } -+if ${am_cv_pathless_PYTHON+:} false; then : -+ $as_echo_n "(cached) " >&6 -+else -+ -+ for am_cv_pathless_PYTHON in python python2 python3 python3.9 python3.8 python3.7 python3.6 python3.5 python3.4 python3.3 python3.2 python3.1 python3.0 python2.7 python2.6 python2.5 python2.4 python2.3 python2.2 python2.1 python2.0 none; do -+ test "$am_cv_pathless_PYTHON" = none && break -+ prog="import sys -+# split strings by '.' and convert to numeric. Append some zeros -+# because we need at least 4 digits for the hex conversion. -+# map returns an iterator in Python 3.0 and a list in 2.x -+minver = list(map(int, '3.0'.split('.'))) + [0, 0, 0] -+minverhex = 0 -+# xrange is not present in Python 3.0 and range returns an iterator -+for i in list(range(0, 4)): minverhex = (minverhex << 8) + minver[i] -+sys.exit(sys.hexversion < minverhex)" -+ if { echo "$as_me:$LINENO: $am_cv_pathless_PYTHON -c "$prog"" >&5 -+ ($am_cv_pathless_PYTHON -c "$prog") >&5 2>&5 -+ ac_status=$? -+ echo "$as_me:$LINENO: \$? = $ac_status" >&5 -+ (exit $ac_status); }; then : -+ break -+fi -+ done -+fi -+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $am_cv_pathless_PYTHON" >&5 -+$as_echo "$am_cv_pathless_PYTHON" >&6; } -+ # Set $PYTHON to the absolute path of $am_cv_pathless_PYTHON. -+ if test "$am_cv_pathless_PYTHON" = none; then -+ PYTHON=: -+ else -+ # Extract the first word of "$am_cv_pathless_PYTHON", so it can be a program name with args. -+set dummy $am_cv_pathless_PYTHON; ac_word=$2 -+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 -+$as_echo_n "checking for $ac_word... " >&6; } -+if ${ac_cv_path_PYTHON+:} false; then : -+ $as_echo_n "(cached) " >&6 -+else -+ case $PYTHON in -+ [\\/]* | ?:[\\/]*) -+ ac_cv_path_PYTHON="$PYTHON" # Let the user override the test with a path. -+ ;; -+ *) -+ as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -+for as_dir in $PATH -+do -+ IFS=$as_save_IFS -+ test -z "$as_dir" && as_dir=. -+ for ac_exec_ext in '' $ac_executable_extensions; do -+ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then -+ ac_cv_path_PYTHON="$as_dir/$ac_word$ac_exec_ext" -+ $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 -+ break 2 -+ fi -+done -+ done -+IFS=$as_save_IFS -+ -+ ;; -+esac -+fi -+PYTHON=$ac_cv_path_PYTHON -+if test -n "$PYTHON"; then -+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $PYTHON" >&5 -+$as_echo "$PYTHON" >&6; } -+else -+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -+$as_echo "no" >&6; } -+fi -+ -+ -+ fi -+ am_display_PYTHON=$am_cv_pathless_PYTHON -+ fi -+ -+ -+ if test "$PYTHON" = :; then -+ : -+ else -+ -+ -+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $am_display_PYTHON version" >&5 -+$as_echo_n "checking for $am_display_PYTHON version... " >&6; } -+if ${am_cv_python_version+:} false; then : -+ $as_echo_n "(cached) " >&6 -+else -+ am_cv_python_version=`$PYTHON -c "import sys; sys.stdout.write(sys.version[:3])"` -+fi -+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $am_cv_python_version" >&5 -+$as_echo "$am_cv_python_version" >&6; } -+ PYTHON_VERSION=$am_cv_python_version -+ -+ -+ -+ PYTHON_PREFIX='${prefix}' -+ -+ PYTHON_EXEC_PREFIX='${exec_prefix}' -+ -+ -+ -+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $am_display_PYTHON platform" >&5 -+$as_echo_n "checking for $am_display_PYTHON platform... " >&6; } -+if ${am_cv_python_platform+:} false; then : -+ $as_echo_n "(cached) " >&6 -+else -+ am_cv_python_platform=`$PYTHON -c "import sys; sys.stdout.write(sys.platform)"` -+fi -+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $am_cv_python_platform" >&5 -+$as_echo "$am_cv_python_platform" >&6; } -+ PYTHON_PLATFORM=$am_cv_python_platform -+ -+ -+ # Just factor out some code duplication. -+ am_python_setup_sysconfig="\ -+import sys -+# Prefer sysconfig over distutils.sysconfig, for better compatibility -+# with python 3.x. See automake bug#10227. -+try: -+ import sysconfig -+except ImportError: -+ can_use_sysconfig = 0 -+else: -+ can_use_sysconfig = 1 -+# Can't use sysconfig in CPython 2.7, since it's broken in virtualenvs: -+# -+try: -+ from platform import python_implementation -+ if python_implementation() == 'CPython' and sys.version[:3] == '2.7': -+ can_use_sysconfig = 0 -+except ImportError: -+ pass" -+ -+ -+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $am_display_PYTHON script directory" >&5 -+$as_echo_n "checking for $am_display_PYTHON script directory... " >&6; } -+if ${am_cv_python_pythondir+:} false; then : -+ $as_echo_n "(cached) " >&6 -+else -+ if test "x$prefix" = xNONE -+ then -+ am_py_prefix=$ac_default_prefix -+ else -+ am_py_prefix=$prefix -+ fi -+ am_cv_python_pythondir=`$PYTHON -c " -+$am_python_setup_sysconfig -+if can_use_sysconfig: -+ sitedir = sysconfig.get_path('purelib', vars={'base':'$am_py_prefix'}) -+else: -+ from distutils import sysconfig -+ sitedir = sysconfig.get_python_lib(0, 0, prefix='$am_py_prefix') -+sys.stdout.write(sitedir)"` -+ case $am_cv_python_pythondir in -+ $am_py_prefix*) -+ am__strip_prefix=`echo "$am_py_prefix" | sed 's|.|.|g'` -+ am_cv_python_pythondir=`echo "$am_cv_python_pythondir" | sed "s,^$am__strip_prefix,$PYTHON_PREFIX,"` -+ ;; -+ *) -+ case $am_py_prefix in -+ /usr|/System*) ;; -+ *) -+ am_cv_python_pythondir=$PYTHON_PREFIX/lib/python$PYTHON_VERSION/site-packages -+ ;; -+ esac -+ ;; -+ esac -+ -+fi -+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $am_cv_python_pythondir" >&5 -+$as_echo "$am_cv_python_pythondir" >&6; } -+ pythondir=$am_cv_python_pythondir -+ -+ -+ -+ pkgpythondir=\${pythondir}/$PACKAGE -+ -+ -+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $am_display_PYTHON extension module directory" >&5 -+$as_echo_n "checking for $am_display_PYTHON extension module directory... " >&6; } -+if ${am_cv_python_pyexecdir+:} false; then : -+ $as_echo_n "(cached) " >&6 -+else -+ if test "x$exec_prefix" = xNONE -+ then -+ am_py_exec_prefix=$am_py_prefix -+ else -+ am_py_exec_prefix=$exec_prefix -+ fi -+ am_cv_python_pyexecdir=`$PYTHON -c " -+$am_python_setup_sysconfig -+if can_use_sysconfig: -+ sitedir = sysconfig.get_path('platlib', vars={'platbase':'$am_py_prefix'}) -+else: -+ from distutils import sysconfig -+ sitedir = sysconfig.get_python_lib(1, 0, prefix='$am_py_prefix') -+sys.stdout.write(sitedir)"` -+ case $am_cv_python_pyexecdir in -+ $am_py_exec_prefix*) -+ am__strip_prefix=`echo "$am_py_exec_prefix" | sed 's|.|.|g'` -+ am_cv_python_pyexecdir=`echo "$am_cv_python_pyexecdir" | sed "s,^$am__strip_prefix,$PYTHON_EXEC_PREFIX,"` -+ ;; -+ *) -+ case $am_py_exec_prefix in -+ /usr|/System*) ;; -+ *) -+ am_cv_python_pyexecdir=$PYTHON_EXEC_PREFIX/lib/python$PYTHON_VERSION/site-packages -+ ;; -+ esac -+ ;; -+ esac -+ -+fi -+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $am_cv_python_pyexecdir" >&5 -+$as_echo "$am_cv_python_pyexecdir" >&6; } -+ pyexecdir=$am_cv_python_pyexecdir -+ -+ -+ -+ pkgpyexecdir=\${pyexecdir}/$PACKAGE -+ -+ -+ -+ fi -+ -+ -+ - PYTHON3_CONFIG_BIN= - - # Check whether --with-rlm-python3-config-bin was given. -@@ -2771,8 +3157,6 @@ test -n "$PYTHON3_CONFIG_BIN" || PYTHON3_CONFIG_BIN="not-found" - fi - - if test "x$PYTHON3_CONFIG_BIN" = xnot-found; then -- { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: python3-config not found" >&5 --$as_echo "$as_me: WARNING: python3-config not found" >&2;} - fail="$fail python3-config" - else - old_CFLAGS="$CFLAGS" -@@ -2794,7 +3178,85 @@ $as_echo "$as_me: ${PYTHON3_CONFIG_BIN}'s cflags were \"${python3_cflags}\"" >&6 - { $as_echo "$as_me:${as_lineno-$LINENO}: Sanitized cflags were \"${mod_cflags}\"" >&5 - $as_echo "$as_me: Sanitized cflags were \"${mod_cflags}\"" >&6;} - -- python3_ldflags=`${PYTHON3_CONFIG_BIN} --ldflags` -+ for ac_prog in gawk mawk nawk awk -+do -+ # Extract the first word of "$ac_prog", so it can be a program name with args. -+set dummy $ac_prog; ac_word=$2 -+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 -+$as_echo_n "checking for $ac_word... " >&6; } -+if ${ac_cv_prog_AWK+:} false; then : -+ $as_echo_n "(cached) " >&6 -+else -+ if test -n "$AWK"; then -+ ac_cv_prog_AWK="$AWK" # Let the user override the test. -+else -+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -+for as_dir in $PATH -+do -+ IFS=$as_save_IFS -+ test -z "$as_dir" && as_dir=. -+ for ac_exec_ext in '' $ac_executable_extensions; do -+ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then -+ ac_cv_prog_AWK="$ac_prog" -+ $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 -+ break 2 -+ fi -+done -+ done -+IFS=$as_save_IFS -+ -+fi -+fi -+AWK=$ac_cv_prog_AWK -+if test -n "$AWK"; then -+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $AWK" >&5 -+$as_echo "$AWK" >&6; } -+else -+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -+$as_echo "no" >&6; } -+fi -+ -+ -+ test -n "$AWK" && break -+done -+ -+ -+ -+ -+ # Used to indicate true or false condition -+ ax_compare_version=false -+ -+ # Convert the two version strings to be compared into a format that -+ # allows a simple string comparison. The end result is that a version -+ # string of the form 1.12.5-r617 will be converted to the form -+ # 0001001200050617. In other words, each number is zero padded to four -+ # digits, and non digits are removed. -+ -+ ax_compare_version_A=`echo "${PYTHON_VERSION}" | sed -e 's/\([0-9]*\)/Z\1Z/g' \ -+ -e 's/Z\([0-9]\)Z/Z0\1Z/g' \ -+ -e 's/Z\([0-9][0-9]\)Z/Z0\1Z/g' \ -+ -e 's/Z\([0-9][0-9][0-9]\)Z/Z0\1Z/g' \ -+ -e 's/[^0-9]//g'` -+ -+ -+ ax_compare_version_B=`echo "3.8" | sed -e 's/\([0-9]*\)/Z\1Z/g' \ -+ -e 's/Z\([0-9]\)Z/Z0\1Z/g' \ -+ -e 's/Z\([0-9][0-9]\)Z/Z0\1Z/g' \ -+ -e 's/Z\([0-9][0-9][0-9]\)Z/Z0\1Z/g' \ -+ -e 's/[^0-9]//g'` -+ -+ -+ ax_compare_version=`echo "x$ax_compare_version_A -+x$ax_compare_version_B" | sed 's/^ *//' | sort -r | sed "s/x${ax_compare_version_A}/true/;s/x${ax_compare_version_B}/false/;1q"` -+ -+ -+ -+ if test "$ax_compare_version" = "true" ; then -+ EMBED="--embed" -+ fi -+ -+ -+ python3_ldflags=`${PYTHON3_CONFIG_BIN} --ldflags $EMBED` - { $as_echo "$as_me:${as_lineno-$LINENO}: ${PYTHON3_CONFIG_BIN}'s ldflags were \"$python3_ldflags}\"" >&5 - $as_echo "$as_me: ${PYTHON3_CONFIG_BIN}'s ldflags were \"$python3_ldflags}\"" >&6;} - -@@ -2811,6 +3273,18 @@ $as_echo "$as_me: Sanitized ldflags were \"${mod_ldflags}\"" >&6;} - - targetname="rlm_python3" - fi -+ -+for ac_func in dl_iterate_phdr -+do : -+ ac_fn_c_check_func "$LINENO" "dl_iterate_phdr" "ac_cv_func_dl_iterate_phdr" -+if test "x$ac_cv_func_dl_iterate_phdr" = xyes; then : -+ cat >>confdefs.h <<_ACEOF -+#define HAVE_DL_ITERATE_PHDR 1 -+_ACEOF -+ -+fi -+done -+ - else - targetname= - echo \*\*\* module rlm_python3 is disabled. -@@ -2833,11 +3307,7 @@ ac_config_headers="$ac_config_headers config.h" - - - -- -- unset ac_cv_env_LIBS_set -- unset ac_cv_env_LIBS_value -- -- ac_config_files="$ac_config_files all.mk" -+ac_config_files="$ac_config_files all.mk" - - cat >confcache <<\_ACEOF - # This file is a shell script that caches the results of configure -@@ -3417,6 +3887,7 @@ gives unlimited permission to copy, distribute and modify it." - - ac_pwd='$ac_pwd' - srcdir='$srcdir' -+AWK='$AWK' - test -n "\$AWK" || AWK=awk - _ACEOF - -@@ -4111,4 +4582,3 @@ if test -n "$ac_unrecognized_opts" && test "$enable_option_checking" != no; then - $as_echo "$as_me: WARNING: unrecognized options: $ac_unrecognized_opts" >&2;} - fi - -- -diff --git a/src/modules/rlm_python3/configure.ac b/src/modules/rlm_python3/configure.ac -index 295a2486d2ac..698a8c1d1874 100644 ---- a/src/modules/rlm_python3/configure.ac -+++ b/src/modules/rlm_python3/configure.ac -@@ -7,6 +7,7 @@ if test x$with_[]modname != xno; then - - AC_PROG_CC - AC_PROG_CPP -+ AM_PATH_PYTHON([3.0],, [:]) - - dnl extra argument: --with-rlm-python3-config-bin - PYTHON3_CONFIG_BIN= -@@ -58,7 +59,11 @@ if test x$with_[]modname != xno; then - '` - AC_MSG_NOTICE([Sanitized cflags were \"${mod_cflags}\"]) - -- python3_ldflags=`${PYTHON3_CONFIG_BIN} --ldflags` -+ dnl # From python 3.8, --embed is required -+ dnl # https://bugs.python.org/issue36721 -+ AX_COMPARE_VERSION(${PYTHON_VERSION}, [ge], [3.8], [EMBED="--embed"], []) -+ -+ python3_ldflags=`${PYTHON3_CONFIG_BIN} --ldflags $EMBED` - AC_MSG_NOTICE([${PYTHON3_CONFIG_BIN}'s ldflags were \"$python3_ldflags}\"]) - - dnl # Strip -Wl,-O1... Is -O even a valid linker flag?? -@@ -77,6 +82,7 @@ if test x$with_[]modname != xno; then - - targetname="rlm_python3" - fi -+ AC_CHECK_FUNCS([dl_iterate_phdr]) - else - targetname= - echo \*\*\* module modname is disabled. -diff --git a/src/modules/rlm_python3/rlm_python3.c b/src/modules/rlm_python3/rlm_python3.c -index df223f0f401b..5da23f4d7116 100644 ---- a/src/modules/rlm_python3/rlm_python3.c -+++ b/src/modules/rlm_python3/rlm_python3.c -@@ -41,8 +41,17 @@ RCSID("$Id$") - #include - #endif - -+/* -+ * Since version 3.8, the "m" suffix is no longer available. -+ * https://bugs.python.org/issue36707 -+ */ -+#if PY_MINOR_VERSION >= 8 -+#define LIBPYTHON_LINKER_NAME \ -+ "libpython" STRINGIFY(PY_MAJOR_VERSION) "." STRINGIFY(PY_MINOR_VERSION) LT_SHREXT -+#else - #define LIBPYTHON_LINKER_NAME \ - "libpython" STRINGIFY(PY_MAJOR_VERSION) "." STRINGIFY(PY_MINOR_VERSION) "m" LT_SHREXT -+#endif - - static uint32_t python_instances = 0; - static void *python_dlhandle; diff --git a/freeradius-no-buildtime-cert-gen.patch b/freeradius-no-buildtime-cert-gen.patch index aa3be66..df2c316 100644 --- a/freeradius-no-buildtime-cert-gen.patch +++ b/freeradius-no-buildtime-cert-gen.patch @@ -4,34 +4,43 @@ Date: Wed, 8 May 2019 12:58:02 -0400 Subject: [PATCH] Don't generate certificates in reproducible builds Signed-off-by: Alexander Scheel +[antorres@redhat.com]: updated to work with FreeRADIUS 3.0.27 --- Make.inc.in | 5 +++++ configure | 4 ++++ configure.ac | 3 +++ raddb/all.mk | 4 ++++ 4 files changed, 16 insertions(+) - diff --git a/Make.inc.in b/Make.inc.in -index 0b2cd74de8..8c623cf95c 100644 +index 05f82776ff..37626b4ccd 100644 --- a/Make.inc.in +++ b/Make.inc.in -@@ -173,3 +173,8 @@ else +@@ -107,6 +107,7 @@ USE_SHARED_LIBS = @USE_SHARED_LIBS@ + bm_shared_libs = @USE_SHARED_LIBS@ + USE_STATIC_LIBS = @USE_STATIC_LIBS@ + bm_static_libs = @USE_STATIC_LIBS@ ++ENABLE_REPRODUCIBLE_BUILDS = @ENABLE_REPRODUCIBLE_BUILDS@ + + STATIC_MODULES = @STATIC_MODULES@ + LIBREADLINE = @LIBREADLINE@ +@@ -173,8 +174,6 @@ else TESTBINDIR = ./$(BUILD_DIR)/bin TESTBIN = ./$(BUILD_DIR)/bin endif -+ -+# -+# With reproducible builds, do not generate certificates during installation -+# -+ENABLE_REPRODUCIBLE_BUILDS = @ENABLE_REPRODUCIBLE_BUILDS@ +- +- + # + # For creating documentation via doc/all.mk + # + diff --git a/configure b/configure -index c2c599c92b..3d4403a844 100755 +index f77471c768..3e6a078a09 100755 --- a/configure +++ b/configure -@@ -655,6 +655,7 @@ RUSERS +@@ -653,6 +653,7 @@ ACLOCAL + RUSERS SNMPWALK SNMPGET - PERL +ENABLE_REPRODUCIBLE_BUILDS openssl_version_check_config WITH_DHCP @@ -61,10 +70,10 @@ index c2c599c92b..3d4403a844 100755 # Extract the first word of "perl", so it can be a program name with args. set dummy perl; ac_word=$2 diff --git a/configure.ac b/configure.ac -index a7abf0025a..35b013f4af 100644 +index ad8bc8cdda..d093b1d13e 100644 --- a/configure.ac +++ b/configure.ac -@@ -619,6 +619,7 @@ AC_SUBST([openssl_version_check_config]) +@@ -725,6 +725,7 @@ AC_SUBST([openssl_version_check_config]) dnl # dnl # extra argument: --enable-reproducible-builds dnl # @@ -72,7 +81,7 @@ index a7abf0025a..35b013f4af 100644 AC_ARG_ENABLE(reproducible-builds, [AS_HELP_STRING([--enable-reproducible-builds], [ensure the build does not change each time])], -@@ -630,8 +631,10 @@ AC_ARG_ENABLE(reproducible-builds, +@@ -736,8 +737,10 @@ AC_ARG_ENABLE(reproducible-builds, ;; *) reproducible_builds=no @@ -81,10 +90,8 @@ index a7abf0025a..35b013f4af 100644 ) +AC_SUBST(ENABLE_REPRODUCIBLE_BUILDS) - - dnl ############################################################# -diff --git a/raddb/all.mk b/raddb/all.mk -index c966edd657..c8e976a499 100644 + dnl # + dnl # Enable the -fsanitize=fuzzer and link in the address sanitizer --- a/raddb/all.mk +++ b/raddb/all.mk @@ -124,7 +124,11 @@ $(R)$(raddbdir)/users: $(R)$(modconfdir)/files/authorize diff --git a/freeradius-no-sqlippool-tool.patch b/freeradius-no-sqlippool-tool.patch new file mode 100644 index 0000000..58d3282 --- /dev/null +++ b/freeradius-no-sqlippool-tool.patch @@ -0,0 +1,28 @@ +From: Antonio Torres +Date: Wed, 5 Mar 2025 +Subject: Remove sqlippool tool + +This script relies on a Perl package, perl-Net-IP, that won't be available. +Remove it from build script and let the user pull it manually instead, as it's +just a helper script for SQL module users. + +--- +diff --git a/scripts/all.mk b/scripts/all.mk +index a6e90aa3eb..517adb8590 100644 +--- a/scripts/all.mk ++++ b/scripts/all.mk +@@ -1,5 +1,5 @@ + install: $(R)$(sbindir)/rc.radiusd $(R)$(sbindir)/raddebug \ +- $(R)$(bindir)/radsqlrelay $(R)$(bindir)/radcrypt $(R)$(bindir)/rlm_sqlippool_tool ++ $(R)$(bindir)/radsqlrelay $(R)$(bindir)/radcrypt + + $(R)$(sbindir)/rc.radiusd: scripts/rc.radiusd + @mkdir -p $(dir $@) +@@ -16,7 +16,3 @@ $(R)$(bindir)/radsqlrelay: scripts/sql/radsqlrelay + $(R)$(bindir)/radcrypt: scripts/cryptpasswd + @mkdir -p $(dir $@) + @$(INSTALL) -m 755 $< $@ +- +-$(R)$(bindir)/rlm_sqlippool_tool: scripts/sql/rlm_sqlippool_tool +- @mkdir -p $(dir $@) +- @$(INSTALL) -m 755 $< $@ diff --git a/freeradius.spec b/freeradius.spec index da7db3a..6ac84d2 100644 --- a/freeradius.spec +++ b/freeradius.spec @@ -1,7 +1,7 @@ Summary: High-performance and highly configurable free RADIUS server Name: freeradius -Version: 3.0.21 -Release: 45%{?dist} +Version: 3.0.27 +Release: 1%{?dist} License: GPLv2+ and LGPLv2+ URL: http://www.freeradius.org/ @@ -26,13 +26,9 @@ Patch2: freeradius-Use-system-crypto-policy-by-default.patch Patch3: freeradius-bootstrap-create-only.patch Patch4: freeradius-no-buildtime-cert-gen.patch Patch5: freeradius-bootstrap-make-permissions.patch -Patch6: freeradius-Fix-resource-hard-limit-error.patch -Patch7: freeradius-ldap-infinite-timeout-on-starttls.patch -Patch8: freeradius-Backport-OpenSSL3-fixes.patch -Patch9: freeradius-bootstrap-pass-noenc-to-certificate-generation.patch -Patch10: freeradius-fix-crash-unknown-eap-sim.patch -Patch11: freeradius-fix-crash-on-invalid-abinary-data.patch -Patch12: freeradius-fix-python3-library-suffix.patch +Patch6: freeradius-ldap-infinite-timeout-on-starttls.patch +Patch7: freeradius-bootstrap-pass-noenc-to-certificate-generation.patch +Patch8: freeradius-no-sqlippool-tool.patch %global docdir %{?_pkgdocdir}%{!?_pkgdocdir:%{_docdir}/%{name}-%{version}} @@ -220,10 +216,6 @@ This plugin provides the REST support for the FreeRADIUS server project. %patch6 -p1 %patch7 -p1 %patch8 -p1 -%patch9 -p1 -%patch10 -p1 -%patch11 -p1 -%patch12 -p1 %build # Force compile/link options, extra security for network facing daemon @@ -435,7 +427,7 @@ EOF %dir %attr(770,root,radiusd) /etc/raddb/certs %config(noreplace) /etc/raddb/certs/Makefile %config(noreplace) /etc/raddb/certs/passwords.mk -/etc/raddb/certs/README +/etc/raddb/certs/README.md %config(noreplace) /etc/raddb/certs/xpextensions %attr(640,root,radiusd) %config(noreplace) /etc/raddb/certs/*.cnf %attr(750,root,radiusd) /etc/raddb/certs/bootstrap @@ -483,6 +475,9 @@ EOF %attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/tls %attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/channel_bindings %attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/challenge +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/google-ldap-auth +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/resource-check +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/sites-available/totp # sites-enabled # symlink: /etc/raddb/sites-enabled/xxx -> ../sites-available/xxx @@ -496,7 +491,6 @@ EOF %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/always %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/attr_filter %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/cache -%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/cache_eap %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/chap %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/counter %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/cui @@ -550,13 +544,19 @@ EOF %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/utf8 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/wimax %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/yubikey +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/dhcp_files +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/dhcp_passwd +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/dhcp_sql +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/ldap_google +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/sql_map +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/totp +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/cache_auth # mods-enabled # symlink: /etc/raddb/mods-enabled/xxx -> ../mods-available/xxx %dir %attr(750,root,radiusd) /etc/raddb/mods-enabled %config(missingok) /etc/raddb/mods-enabled/always %config(missingok) /etc/raddb/mods-enabled/attr_filter -%config(missingok) /etc/raddb/mods-enabled/cache_eap %config(missingok) /etc/raddb/mods-enabled/chap %config(missingok) /etc/raddb/mods-enabled/date %config(missingok) /etc/raddb/mods-enabled/detail @@ -584,6 +584,7 @@ EOF %config(missingok) /etc/raddb/mods-enabled/unix %config(missingok) /etc/raddb/mods-enabled/unpack %config(missingok) /etc/raddb/mods-enabled/utf8 +%config(missingok) /etc/raddb/mods-enabled/totp # policy %dir %attr(750,root,radiusd) /etc/raddb/policy.d @@ -638,7 +639,6 @@ EOF %{_libdir}/freeradius/rlm_eap.so %{_libdir}/freeradius/rlm_eap_fast.so %{_libdir}/freeradius/rlm_eap_gtc.so -%{_libdir}/freeradius/rlm_eap_leap.so %{_libdir}/freeradius/rlm_eap_md5.so %{_libdir}/freeradius/rlm_eap_mschapv2.so %{_libdir}/freeradius/rlm_eap_peap.so @@ -675,6 +675,8 @@ EOF %{_libdir}/freeradius/rlm_utf8.so %{_libdir}/freeradius/rlm_wimax.so %{_libdir}/freeradius/rlm_yubikey.so +%{_libdir}/freeradius/rlm_sql_map.so +%{_libdir}/freeradius/rlm_totp.so # main man pages %doc %{_mandir}/man5/clients.conf.5.gz @@ -729,6 +731,7 @@ EOF %doc %{_mandir}/man8/radsniff.8.gz %doc %{_mandir}/man8/radsqlrelay.8.gz %doc %{_mandir}/man8/rlm_ippool_tool.8.gz +%doc %{_mandir}/man8/rlm_sqlippool_tool.8.gz %files devel /usr/include/freeradius @@ -763,6 +766,7 @@ EOF %dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/counter/mysql %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/mysql/dailycounter.conf %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/mysql/expire_on_login.conf +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/mysql/weeklycounter.conf %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/mysql/monthlycounter.conf %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/mysql/noresetcounter.conf @@ -770,14 +774,49 @@ EOF %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/cui/mysql/queries.conf %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/cui/mysql/schema.sql +%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/dhcp/mssql +%attr(640,root,radiusd) /etc/raddb/mods-config/sql/dhcp/mssql/queries.conf +%attr(640,root,radiusd) /etc/raddb/mods-config/sql/dhcp/mssql/schema.sql + +%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/dhcp/mysql +%attr(640,root,radiusd) /etc/raddb/mods-config/sql/dhcp/mysql/queries.conf +%attr(640,root,radiusd) /etc/raddb/mods-config/sql/dhcp/mysql/schema.sql +%attr(640,root,radiusd) /etc/raddb/mods-config/sql/dhcp/mysql/setup.sql + +%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/dhcp/oracle +%attr(640,root,radiusd) /etc/raddb/mods-config/sql/dhcp/oracle/queries.conf +%attr(640,root,radiusd) /etc/raddb/mods-config/sql/dhcp/oracle/schema.sql + +%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/dhcp/postgresql +%attr(640,root,radiusd) /etc/raddb/mods-config/sql/dhcp/postgresql/queries.conf +%attr(640,root,radiusd) /etc/raddb/mods-config/sql/dhcp/postgresql/schema.sql +%attr(640,root,radiusd) /etc/raddb/mods-config/sql/dhcp/postgresql/setup.sql + +%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/dhcp/sqlite +%attr(640,root,radiusd) /etc/raddb/mods-config/sql/dhcp/sqlite/queries.conf +%attr(640,root,radiusd) /etc/raddb/mods-config/sql/dhcp/sqlite/schema.sql + %dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/ippool/mysql %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool/mysql/queries.conf %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool/mysql/schema.sql %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool/mysql/procedure.sql +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool/mysql/procedure-no-skip-locked.sql %dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/ippool-dhcp/mysql %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool-dhcp/mysql/queries.conf %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool-dhcp/mysql/schema.sql +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool-dhcp/mysql/procedure.sql +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool-dhcp/mysql/procedure-no-skip-locked.sql + +%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/ippool-dhcp/mssql +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool-dhcp/mssql/procedure.sql +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool-dhcp/mssql/queries.conf +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool-dhcp/mssql/schema.sql + +%dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/ippool-dhcp/postgresql +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool-dhcp/postgresql/procedure.sql +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool-dhcp/postgresql/queries.conf +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool-dhcp/postgresql/schema.sql %dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/main/mysql %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/mysql/setup.sql @@ -803,6 +842,7 @@ EOF %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/postgresql/expire_on_login.conf %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/postgresql/monthlycounter.conf %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/postgresql/noresetcounter.conf +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/postgresql/weeklycounter.conf %dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/cui/postgresql %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/cui/postgresql/queries.conf @@ -831,6 +871,7 @@ EOF %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/sqlite/expire_on_login.conf %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/sqlite/monthlycounter.conf %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/sqlite/noresetcounter.conf +%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/sqlite/weeklycounter.conf %dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/cui/sqlite %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/cui/sqlite/queries.conf @@ -864,6 +905,10 @@ EOF %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/rest %changelog +* Tue Jul 08 2025 Antonio Torres - 3.0.27-1 +- Rebase to upstream 3.0.27 + Resolves: RHEL-102101 + * Mon May 26 2025 Antonio Torres - 3.0.21-45 - Expose ca_path_reload_interval in configuration files Resolves: RHEL-93552 diff --git a/sources b/sources index a895a5a..9387f70 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (freeradius-server-3.0.21.tar.bz2) = 18cc142caad2143e30bc54242e3824b5f659f2f6e8f3401c71ce3b9063de0bd8d206d84822c4ad1d99457dfd7121333d4accd0c8340fcfc6b33b8fbe24a31729 +SHA512 (freeradius-server-3.0.27.tar.bz2) = ece74af1b79f5725c4cf03c42c59d81acc371a51b341b23730c81f272c47f7a402041d630cb0f1749fb520c8cfcc9921e414b0f6c2102a22e8687a11997dd7b5