import freeradius-3.0.21-26.el9

This commit is contained in:
CentOS Sources 2022-05-17 04:42:43 -04:00 committed by Stepan Oksanichenko
commit d40d999666
15 changed files with 13933 additions and 0 deletions

1
.freeradius.metadata Normal file
View File

@ -0,0 +1 @@
3d90d63bf1452794cf9d0b04147745a254872c3f SOURCES/freeradius-server-3.0.21.tar.bz2

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
SOURCES/freeradius-server-3.0.21.tar.bz2

View File

@ -0,0 +1,60 @@
From 958f470cda2ba8943f02f13d1b46f357f92d9639 Mon Sep 17 00:00:00 2001
From: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
Date: Mon, 8 Sep 2014 12:32:13 +0300
Subject: [PATCH] Adjust configuration to fit Red Hat specifics
---
raddb/mods-available/eap | 4 ++--
raddb/radiusd.conf.in | 7 +++----
2 files changed, 5 insertions(+), 6 deletions(-)
diff --git a/raddb/mods-available/eap b/raddb/mods-available/eap
index 2621e183c..94494b2c6 100644
--- a/raddb/mods-available/eap
+++ b/raddb/mods-available/eap
@@ -533,7 +533,7 @@
# You should also delete all of the files
# in the directory when the server starts.
#
- # tmpdir = /tmp/radiusd
+ # tmpdir = /var/run/radiusd/tmp
# The command used to verify the client cert.
# We recommend using the OpenSSL command-line
@@ -548,7 +548,7 @@
# deleted by the server when the command
# returns.
#
- # client = "/path/to/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}"
+ # client = "/usr/bin/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}"
}
# OCSP Configuration
diff --git a/raddb/radiusd.conf.in b/raddb/radiusd.conf.in
index a83c1f687..e500cf97b 100644
--- a/raddb/radiusd.conf.in
+++ b/raddb/radiusd.conf.in
@@ -70,8 +70,7 @@ certdir = ${confdir}/certs
cadir = ${confdir}/certs
run_dir = ${localstatedir}/run/${name}
-# Should likely be ${localstatedir}/lib/radiusd
-db_dir = ${raddbdir}
+db_dir = ${localstatedir}/lib/radiusd
#
# libdir: Where to find the rlm_* modules.
@@ -398,8 +397,8 @@ security {
# member. This can allow for some finer-grained access
# controls.
#
-# user = radius
-# group = radius
+ user = radiusd
+ group = radiusd
# Core dumps are a bad thing. This should only be set to
# 'yes' if you're debugging a problem with the server.
--
2.13.2

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,32 @@
commit 1ce4508c92493cf03ea1b3c42e83540b387884fa
Author: Antonio Torres <antorres@redhat.com>
Date: Fri Jul 2 07:12:48 2021 -0400
Subject: [PATCH] debug: don't set resource hard limit to zero
Setting the resource hard limit to zero is irreversible, meaning if it
is set to zero then there is no way to set it higher. This means
enabling core dump is not possible, since setting a new resource limit
for RLIMIT_CORE would fail. By only setting the soft limit to zero, we
can disable and enable core dumps without failures.
This fix is present in both main and 3.0.x upstream branches.
Ticket in RHEL Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1977572
Signed-off-by: Antonio Torres antorres@redhat.com
---
src/lib/debug.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/lib/debug.c b/src/lib/debug.c
index 576bcb2a65..6330c9cb66 100644
--- a/src/lib/debug.c
+++ b/src/lib/debug.c
@@ -599,7 +599,7 @@ int fr_set_dumpable(bool allow_core_dumps)
struct rlimit no_core;
no_core.rlim_cur = 0;
- no_core.rlim_max = 0;
+ no_core.rlim_max = core_limits.rlim_max;
if (setrlimit(RLIMIT_CORE, &no_core) < 0) {
fr_strerror_printf("Failed disabling core dumps: %s", fr_syserror(errno));

View File

@ -0,0 +1,86 @@
From a7ed62fbcc043a9ec7a4f09962a2cd2acffa019b Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Wed, 8 May 2019 10:16:31 -0400
Subject: [PATCH] Use system-provided crypto-policies by default
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
raddb/mods-available/eap | 4 ++--
raddb/mods-available/inner-eap | 2 +-
raddb/sites-available/abfab-tls | 2 +-
raddb/sites-available/tls | 4 ++--
4 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/raddb/mods-available/eap b/raddb/mods-available/eap
index 36849e10f2..b28c0f19c6 100644
--- a/raddb/mods-available/eap
+++ b/raddb/mods-available/eap
@@ -368,7 +368,7 @@ eap {
#
# For EAP-FAST, use "ALL:!EXPORT:!eNULL:!SSLv2"
#
- cipher_list = "DEFAULT"
+ cipher_list = "PROFILE=SYSTEM"
# If enabled, OpenSSL will use server cipher list
# (possibly defined by cipher_list option above)
@@ -912,7 +912,7 @@ eap {
# Note - for OpenSSL 1.1.0 and above you may need
# to add ":@SECLEVEL=0"
#
- # cipher_list = "ALL:!EXPORT:!eNULL:!SSLv2"
+ # cipher_list = "PROFILE=SYSTEM"
# PAC lifetime in seconds (default: seven days)
#
diff --git a/raddb/mods-available/inner-eap b/raddb/mods-available/inner-eap
index 576eb7739e..ffa07188e2 100644
--- a/raddb/mods-available/inner-eap
+++ b/raddb/mods-available/inner-eap
@@ -77,7 +77,7 @@ eap inner-eap {
# certificates. If so, edit this file.
ca_file = ${cadir}/ca.pem
- cipher_list = "DEFAULT"
+ cipher_list = "PROFILE=SYSTEM"
# You may want to set a very small fragment size.
# The TLS data here needs to go inside of the
diff --git a/raddb/sites-available/abfab-tls b/raddb/sites-available/abfab-tls
index 92f1d6330e..cd69b3905a 100644
--- a/raddb/sites-available/abfab-tls
+++ b/raddb/sites-available/abfab-tls
@@ -19,7 +19,7 @@ listen {
dh_file = ${certdir}/dh
fragment_size = 8192
ca_path = ${cadir}
- cipher_list = "DEFAULT"
+ cipher_list = "PROFILE=SYSTEM"
cache {
enable = no
diff --git a/raddb/sites-available/tls b/raddb/sites-available/tls
index bbc761b1c5..83cd35b851 100644
--- a/raddb/sites-available/tls
+++ b/raddb/sites-available/tls
@@ -215,7 +215,7 @@ listen {
# Set this option to specify the allowed
# TLS cipher suites. The format is listed
# in "man 1 ciphers".
- cipher_list = "DEFAULT"
+ cipher_list = "PROFILE=SYSTEM"
# If enabled, OpenSSL will use server cipher list
# (possibly defined by cipher_list option above)
@@ -517,7 +517,7 @@ home_server tls {
# Set this option to specify the allowed
# TLS cipher suites. The format is listed
# in "man 1 ciphers".
- cipher_list = "DEFAULT"
+ cipher_list = "PROFILE=SYSTEM"
}
}
--
2.21.0

View File

@ -0,0 +1,89 @@
From acaf4be8e301a01041acba189194d9502994611d Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Wed, 13 May 2020 10:01:47 -0400
Subject: [PATCH] Don't clobber existing files on bootstrap
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
raddb/certs/bootstrap | 31 +++++++++++++++----------------
1 file changed, 15 insertions(+), 16 deletions(-)
diff --git a/raddb/certs/bootstrap b/raddb/certs/bootstrap
index ede09bc..e555491 100755
--- a/raddb/certs/bootstrap
+++ b/raddb/certs/bootstrap
@@ -20,56 +20,55 @@ cd `dirname $0`
# Don't edit the following text. Instead, edit the Makefile, and
# re-generate these commands.
#
-if [ ! -f dh ]; then
+if [ ! -e dh ]; then
openssl dhparam -out dh 2048 || exit 1
- if [ -e /dev/urandom ] ; then
- ln -sf /dev/urandom random
- else
- date > ./random;
- fi
+ ln -sf /dev/urandom random
fi
-if [ ! -f server.key ]; then
+if [ ! -e server.key ]; then
openssl req -new -out server.csr -keyout server.key -config ./server.cnf || exit 1
chmod g+r server.key
fi
-if [ ! -f ca.key ]; then
+if [ ! -e ca.key ]; then
openssl req -new -x509 -keyout ca.key -out ca.pem -days `grep default_days ca.cnf | sed 's/.*=//;s/^ *//'` -config ./ca.cnf || exit 1
fi
-if [ ! -f index.txt ]; then
+if [ ! -e index.txt ]; then
touch index.txt
fi
-if [ ! -f serial ]; then
+if [ ! -e serial ]; then
echo '01' > serial
fi
-if [ ! -f server.crt ]; then
+if [ ! -e server.crt ]; then
openssl ca -batch -keyfile ca.key -cert ca.pem -in server.csr -key `grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out server.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf || exit 1
fi
-if [ ! -f server.p12 ]; then
+if [ ! -e server.p12 ]; then
openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` || exit 1
chmod g+r server.p12
fi
-if [ ! -f server.pem ]; then
+if [ ! -e server.pem ]; then
openssl pkcs12 -in server.p12 -out server.pem -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` || exit 1
openssl verify -CAfile ca.pem server.pem || exit 1
chmod g+r server.pem
fi
-if [ ! -f ca.der ]; then
+if [ ! -e ca.der ]; then
openssl x509 -inform PEM -outform DER -in ca.pem -out ca.der || exit 1
fi
-if [ ! -f client.key ]; then
+if [ ! -e client.key ]; then
openssl req -new -out client.csr -keyout client.key -config ./client.cnf
chmod g+r client.key
fi
-if [ ! -f client.crt ]; then
+if [ ! -e client.crt ]; then
openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key `grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf
fi
+
+chown root:radiusd dh ca.* client.* server.*
+chmod 640 dh ca.* client.* server.*
--
2.26.2

View File

@ -0,0 +1,29 @@
From ea164ceafa05f96079204a3f0ae379e46e64a455 Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Tue, 4 Aug 2020 10:08:15 -0400
Subject: [PATCH] Fix permissions after generating certificates with make
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
raddb/certs/bootstrap | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/raddb/certs/bootstrap b/raddb/certs/bootstrap
index 336a2bd..9920ecf 100755
--- a/raddb/certs/bootstrap
+++ b/raddb/certs/bootstrap
@@ -21,7 +21,10 @@ make -h > /dev/null 2>&1
#
if [ "$?" = "0" ]; then
make all
- exit $?
+ ret=$?
+ chown root:radiusd dh ca.* client.* server.*
+ chmod 640 dh ca.* client.* server.*
+ exit $ret
fi
#
--
2.26.2

View File

@ -0,0 +1,31 @@
From: Antonio Torres <antorres@redhat.com>
Date: Fri, 28 Jan 2022
Subject: Use infinite timeout when using LDAP+start-TLS
This will ensure that the TLS connection to the LDAP server will complete
before starting FreeRADIUS, as it forces libldap to use a blocking socket during
the process. Infinite timeout is the OpenLDAP default.
Avoids this: https://git.openldap.org/openldap/openldap/-/blob/87ffc60006298069a5a044b8e63dab27a61d3fdf/libraries/libldap/tls2.c#L1134
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1992551
Signed-off-by: Antonio Torres <antorres@redhat.com>
---
src/modules/rlm_ldap/ldap.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/src/modules/rlm_ldap/ldap.c b/src/modules/rlm_ldap/ldap.c
index cf7a84e069..841bf888a1 100644
--- a/src/modules/rlm_ldap/ldap.c
+++ b/src/modules/rlm_ldap/ldap.c
@@ -1472,7 +1472,10 @@ void *mod_conn_create(TALLOC_CTX *ctx, void *instance)
}
#ifdef LDAP_OPT_NETWORK_TIMEOUT
- if (inst->net_timeout) {
+ bool using_tls = inst->start_tls ||
+ inst->port == 636 ||
+ strncmp(inst->server, "ldaps://", strlen("ldaps://")) == 0;
+ if (inst->net_timeout && !using_tls) {
memset(&tv, 0, sizeof(tv));
tv.tv_sec = inst->net_timeout;

View File

@ -0,0 +1,56 @@
# You can use this to rotate the /var/log/radius/* files, simply copy
# it to /etc/logrotate.d/radiusd
# There are different detail-rotating strategies you can use. One is
# to write to a single detail file per IP and use the rotate config
# below. Another is to write to a daily detail file per IP with:
# detailfile = ${radacctdir}/%{Client-IP-Address}/%Y%m%d-detail
# (or similar) in radiusd.conf, without rotation. If you go with the
# second technique, you will need another cron job that removes old
# detail files. You do not need to comment out the below for method #2.
/var/log/radius/radacct/*/detail {
monthly
rotate 4
nocreate
missingok
compress
su radiusd radiusd
}
/var/log/radius/checkrad.log {
monthly
rotate 4
create
missingok
compress
su radiusd radiusd
}
/var/log/radius/radius.log {
monthly
rotate 4
create
missingok
compress
su radiusd radiusd
postrotate
/usr/bin/systemctl reload-or-try-restart radiusd
endscript
}
/var/log/radius/radwtmp {
monthly
rotate 4
create
compress
missingok
su radiusd radiusd
}
/var/log/radius/sqltrace.sql {
monthly
rotate 4
create
compress
missingok
su radiusd radiusd
}

View File

@ -0,0 +1,104 @@
From e6f7c9d4c2af1cda7760ca8155166bb5d4d541d0 Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Wed, 8 May 2019 12:58:02 -0400
Subject: [PATCH] Don't generate certificates in reproducible builds
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
Make.inc.in | 5 +++++
configure | 4 ++++
configure.ac | 3 +++
raddb/all.mk | 4 ++++
4 files changed, 16 insertions(+)
diff --git a/Make.inc.in b/Make.inc.in
index 0b2cd74de8..8c623cf95c 100644
--- a/Make.inc.in
+++ b/Make.inc.in
@@ -173,3 +173,8 @@ else
TESTBINDIR = ./$(BUILD_DIR)/bin
TESTBIN = ./$(BUILD_DIR)/bin
endif
+
+#
+# With reproducible builds, do not generate certificates during installation
+#
+ENABLE_REPRODUCIBLE_BUILDS = @ENABLE_REPRODUCIBLE_BUILDS@
diff --git a/configure b/configure
index c2c599c92b..3d4403a844 100755
--- a/configure
+++ b/configure
@@ -655,6 +655,7 @@ RUSERS
SNMPWALK
SNMPGET
PERL
+ENABLE_REPRODUCIBLE_BUILDS
openssl_version_check_config
WITH_DHCP
modconfdir
@@ -5586,6 +5587,7 @@ else
fi
+ENABLE_REPRODUCIBLE_BUILDS=yes
# Check whether --enable-reproducible-builds was given.
if test "${enable_reproducible_builds+set}" = set; then :
enableval=$enable_reproducible_builds; case "$enableval" in
@@ -5597,6 +5599,7 @@ $as_echo "#define ENABLE_REPRODUCIBLE_BUILDS 1" >>confdefs.h
;;
*)
reproducible_builds=no
+ ENABLE_REPRODUCIBLE_BUILDS=no
esac
fi
@@ -5604,6 +5607,7 @@ fi
+
CHECKRAD=checkrad
# Extract the first word of "perl", so it can be a program name with args.
set dummy perl; ac_word=$2
diff --git a/configure.ac b/configure.ac
index a7abf0025a..35b013f4af 100644
--- a/configure.ac
+++ b/configure.ac
@@ -619,6 +619,7 @@ AC_SUBST([openssl_version_check_config])
dnl #
dnl # extra argument: --enable-reproducible-builds
dnl #
+ENABLE_REPRODUCIBLE_BUILDS=yes
AC_ARG_ENABLE(reproducible-builds,
[AS_HELP_STRING([--enable-reproducible-builds],
[ensure the build does not change each time])],
@@ -630,8 +631,10 @@ AC_ARG_ENABLE(reproducible-builds,
;;
*)
reproducible_builds=no
+ ENABLE_REPRODUCIBLE_BUILDS=no
esac ]
)
+AC_SUBST(ENABLE_REPRODUCIBLE_BUILDS)
dnl #############################################################
diff --git a/raddb/all.mk b/raddb/all.mk
index c966edd657..c8e976a499 100644
--- a/raddb/all.mk
+++ b/raddb/all.mk
@@ -124,7 +124,11 @@ $(R)$(raddbdir)/users: $(R)$(modconfdir)/files/authorize
ifneq "$(LOCAL_CERT_PRODUCTS)" ""
$(LOCAL_CERT_PRODUCTS):
@echo BOOTSTRAP raddb/certs/
+ifeq "$(ENABLE_REPRODUCIBLE_BUILDS)" "yes"
+ @$(MAKE) -C $(R)$(raddbdir)/certs/ passwords.mk
+else
@$(MAKE) -C $(R)$(raddbdir)/certs/
+endif
# Bootstrap is special
$(R)$(raddbdir)/certs/bootstrap: | raddb/certs/bootstrap $(LOCAL_CERT_PRODUCTS)
--
2.21.0

View File

@ -0,0 +1,6 @@
#%PAM-1.0
auth include password-auth
account required pam_nologin.so
account include password-auth
password include password-auth
session include password-auth

View File

@ -0,0 +1,2 @@
D /run/radiusd 0710 radiusd radiusd -
D /run/radiusd/tmp 0700 radiusd radiusd -

15
SOURCES/radiusd.service Normal file
View File

@ -0,0 +1,15 @@
[Unit]
Description=FreeRADIUS high performance RADIUS server.
After=syslog.target network-online.target ipa.service dirsrv.target krb5kdc.service mysql.service mariadb.service postgresql.service
[Service]
Type=forking
PIDFile=/run/radiusd/radiusd.pid
ExecStartPre=-/bin/chown -R radiusd.radiusd /var/run/radiusd
ExecStartPre=/usr/sbin/radiusd -C
ExecStart=/usr/sbin/radiusd -d /etc/raddb
ExecReload=/usr/sbin/radiusd -C
ExecReload=/bin/kill -HUP $MAINPID
[Install]
WantedBy=multi-user.target

2541
SPECS/freeradius.spec Normal file

File diff suppressed because it is too large Load Diff