import freeradius-3.0.20-9.module+el8.5.0+12103+998f1584
This commit is contained in:
parent
11830a4189
commit
d7afa70ae3
39
SOURCES/freeradius-FIPS-exit-if-md5-not-allowed.patch
Normal file
39
SOURCES/freeradius-FIPS-exit-if-md5-not-allowed.patch
Normal file
@ -0,0 +1,39 @@
|
|||||||
|
Author: Antonio Torres <antorres@redhat.com>
|
||||||
|
Date: Fri Jul 2 07:12:48 2021 -0400
|
||||||
|
Subject: [PATCH] exit if host in FIPS mode and MD5 not explicitly allowed
|
||||||
|
|
||||||
|
FIPS does not allow MD5, which FreeRADIUS needs to work. The user should
|
||||||
|
explicitly allow MD5 usage by setting the RADIUS_MD5_FIPS_OVERRIDE environment
|
||||||
|
variable to 1 or else FR should exit at start.
|
||||||
|
|
||||||
|
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1958979
|
||||||
|
Signed-off-by: Antonio Torres antorres@redhat.com
|
||||||
|
---
|
||||||
|
src/main/radiusd.c | 14 ++++++++++++++
|
||||||
|
1 file changed, 14 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/src/main/radiusd.c b/src/main/radiusd.c
|
||||||
|
index 9739514509..58a48895e6 100644
|
||||||
|
--- a/src/main/radiusd.c
|
||||||
|
+++ b/src/main/radiusd.c
|
||||||
|
@@ -298,6 +298,20 @@ int main(int argc, char *argv[])
|
||||||
|
exit(EXIT_FAILURE);
|
||||||
|
}
|
||||||
|
|
||||||
|
+ /*
|
||||||
|
+ * If host is in FIPS mode, we need the user to explicitly allow MD5 usage.
|
||||||
|
+ */
|
||||||
|
+ char *fips_md5_override = getenv("RADIUS_MD5_FIPS_OVERRIDE");
|
||||||
|
+ FILE *fips_file = fopen("/proc/sys/crypto/fips_enabled", "r");
|
||||||
|
+ if (fips_file != NULL) {
|
||||||
|
+ int fips_enabled = fgetc(fips_file) - '0';
|
||||||
|
+ fclose(fips_file);
|
||||||
|
+ if (fips_enabled == 1 && (fips_md5_override == NULL || atoi(fips_md5_override) != 1)) {
|
||||||
|
+ fprintf(stderr, "Cannot run FreeRADIUS in FIPS mode because it uses MD5. To allow MD5 usage, set RADIUS_MD5_FIPS_OVERRIDE=1 before starting FreeRADIUS.\n");
|
||||||
|
+ exit(EXIT_FAILURE);
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
/*
|
||||||
|
* According to the talloc peeps, no two threads may modify any part of
|
||||||
|
* a ctx tree with a common root without synchronisation.
|
32
SOURCES/freeradius-Fix-resource-hard-limit-error.patch
Normal file
32
SOURCES/freeradius-Fix-resource-hard-limit-error.patch
Normal file
@ -0,0 +1,32 @@
|
|||||||
|
commit 1ce4508c92493cf03ea1b3c42e83540b387884fa
|
||||||
|
Author: Antonio Torres <antorres@redhat.com>
|
||||||
|
Date: Fri Jul 2 07:12:48 2021 -0400
|
||||||
|
Subject: [PATCH] debug: don't set resource hard limit to zero
|
||||||
|
|
||||||
|
Setting the resource hard limit to zero is irreversible, meaning if it
|
||||||
|
is set to zero then there is no way to set it higher. This means
|
||||||
|
enabling core dump is not possible, since setting a new resource limit
|
||||||
|
for RLIMIT_CORE would fail. By only setting the soft limit to zero, we
|
||||||
|
can disable and enable core dumps without failures.
|
||||||
|
|
||||||
|
This fix is present in both main and 3.0.x upstream branches.
|
||||||
|
|
||||||
|
Ticket in RHEL Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1977572
|
||||||
|
Signed-off-by: Antonio Torres antorres@redhat.com
|
||||||
|
---
|
||||||
|
src/lib/debug.c | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/src/lib/debug.c b/src/lib/debug.c
|
||||||
|
index 576bcb2a65..6330c9cb66 100644
|
||||||
|
--- a/src/lib/debug.c
|
||||||
|
+++ b/src/lib/debug.c
|
||||||
|
@@ -599,7 +599,7 @@ int fr_set_dumpable(bool allow_core_dumps)
|
||||||
|
struct rlimit no_core;
|
||||||
|
|
||||||
|
no_core.rlim_cur = 0;
|
||||||
|
- no_core.rlim_max = 0;
|
||||||
|
+ no_core.rlim_max = core_limits.rlim_max;
|
||||||
|
|
||||||
|
if (setrlimit(RLIMIT_CORE, &no_core) < 0) {
|
||||||
|
fr_strerror_printf("Failed disabling core dumps: %s", fr_syserror(errno));
|
72
SOURCES/freeradius-bootstrap-run-only-once.patch
Normal file
72
SOURCES/freeradius-bootstrap-run-only-once.patch
Normal file
@ -0,0 +1,72 @@
|
|||||||
|
Author: Antonio Torres <antorres@redhat.com>
|
||||||
|
Date: Wed Jul 20 2021
|
||||||
|
Subject: [PATCH] ensure bootstrap script is run only once
|
||||||
|
|
||||||
|
The bootstrap script should only run once. By checking if there are
|
||||||
|
certificates in the directory, we can exit early if certificates were
|
||||||
|
already generated.
|
||||||
|
|
||||||
|
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1954521
|
||||||
|
Signed-off-by: Antonio Torres antorres@redhat.com
|
||||||
|
---
|
||||||
|
raddb/certs/README | 16 ++++++----------
|
||||||
|
raddb/certs/bootstrap | 18 ++++++++++++------
|
||||||
|
2 files changed, 18 insertions(+), 16 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/raddb/certs/README b/raddb/certs/README
|
||||||
|
index 6288921da1..32413964dd 100644
|
||||||
|
--- a/raddb/certs/README
|
||||||
|
+++ b/raddb/certs/README
|
||||||
|
@@ -29,17 +29,13 @@ the "ca_file", you permit them to masquerade as you, to authenticate
|
||||||
|
your users, and to issue client certificates for EAP-TLS.
|
||||||
|
|
||||||
|
If FreeRADIUS was configured to use OpenSSL, then simply starting
|
||||||
|
-the server in root in debugging mode should also create test
|
||||||
|
-certificates, i.e.:
|
||||||
|
+the server in root mode should also create test certificates.
|
||||||
|
|
||||||
|
-$ radiusd -X
|
||||||
|
-
|
||||||
|
- That will cause the EAP-TLS module to run the "bootstrap" script in
|
||||||
|
-this directory. The script will be executed only once, the first time
|
||||||
|
-the server has been installed on a particular machine. This bootstrap
|
||||||
|
-script SHOULD be run on installation of any pre-built binary package
|
||||||
|
-for your OS. In any case, the script will ensure that it is not run
|
||||||
|
-twice, and that it does not over-write any existing certificates.
|
||||||
|
+ The start of FreeRADIUS will cause to run the "bootstrap" script.
|
||||||
|
+The script will be executed during every start of FreeRADIUS via systemd but
|
||||||
|
+the script will ensure that it does not overwrite any existing certificates.
|
||||||
|
+Ideally, the bootstrap script file should be deleted after new testing certificates
|
||||||
|
+have been generated.
|
||||||
|
|
||||||
|
If you already have CA and server certificates, rename (or delete)
|
||||||
|
this directory, and create a new "certs" directory containing your
|
||||||
|
diff --git a/raddb/certs/bootstrap b/raddb/certs/bootstrap
|
||||||
|
index 0f719aafd4..92254dc936 100755
|
||||||
|
--- a/raddb/certs/bootstrap
|
||||||
|
+++ b/raddb/certs/bootstrap
|
||||||
|
@@ -1,12 +1,18 @@
|
||||||
|
#!/bin/sh
|
||||||
|
#
|
||||||
|
-# This is a wrapper script to create default certificates when the
|
||||||
|
-# server first starts in debugging mode. Once the certificates have been
|
||||||
|
-# created, this file should be deleted.
|
||||||
|
+# Bootstrap script should be run only once. If there are already certificates
|
||||||
|
+# generated, skip the execution.
|
||||||
|
+#
|
||||||
|
+cd `dirname $0`
|
||||||
|
+if [ $(ls -l *.{pem,crt,key} 2>/dev/null | wc -l) != 0 ]; then
|
||||||
|
+ exit 0
|
||||||
|
+fi
|
||||||
|
+
|
||||||
|
#
|
||||||
|
-# Ideally, this program should be run as part of the installation of any
|
||||||
|
-# binary package. The installation should also ensure that the permissions
|
||||||
|
-# and owners are correct for the files generated by this script.
|
||||||
|
+# This is a wrapper script to create default certificates when the
|
||||||
|
+# server starts via systemd. It should also ensure that the
|
||||||
|
+# permissions and owners are correct for the generated files. Once
|
||||||
|
+# the certificates have been created, this file should be deleted.
|
||||||
|
#
|
||||||
|
# $Id: 0f719aafd4c9abcdefbf547dedb6e7312c535104 $
|
||||||
|
#
|
93
SOURCES/freeradius-man-Fix-some-typos.patch
Normal file
93
SOURCES/freeradius-man-Fix-some-typos.patch
Normal file
@ -0,0 +1,93 @@
|
|||||||
|
From 285f6f1891e8e8acfeb7281136efdae50dbfbe78 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
|
||||||
|
Date: Fri, 14 Sep 2018 11:53:28 +0300
|
||||||
|
Subject: [PATCH] man: Fix some typos
|
||||||
|
|
||||||
|
---
|
||||||
|
man/man1/radzap.1 | 4 ++--
|
||||||
|
man/man5/unlang.5 | 6 +++---
|
||||||
|
man/man8/radcrypt.8 | 2 +-
|
||||||
|
man/man8/radiusd.8 | 4 ++--
|
||||||
|
4 files changed, 8 insertions(+), 8 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/man/man1/radzap.1 b/man/man1/radzap.1
|
||||||
|
index a2d529d064..03b9a43a54 100644
|
||||||
|
--- a/man/man1/radzap.1
|
||||||
|
+++ b/man/man1/radzap.1
|
||||||
|
@@ -1,4 +1,4 @@
|
||||||
|
-.TH RADZAP 1 "8 April 2005" "" "FreeRadius Daemon"
|
||||||
|
+.TH RADZAP 1 "8 April 2005" "" "FreeRADIUS Daemon"
|
||||||
|
.SH NAME
|
||||||
|
radzap - remove rogue entries from the active sessions database
|
||||||
|
.SH SYNOPSIS
|
||||||
|
@@ -17,7 +17,7 @@ radzap - remove rogue entries from the active sessions database
|
||||||
|
.RB [ \-x ]
|
||||||
|
\fIserver[:port] secret\fP
|
||||||
|
.SH DESCRIPTION
|
||||||
|
-The FreeRadius server can be configured to maintain an active session
|
||||||
|
+The FreeRADIUS server can be configured to maintain an active session
|
||||||
|
database in a file called \fIradutmp\fP. Commands like \fBradwho\fP(1)
|
||||||
|
use this database. Sometimes that database can get out of sync, and
|
||||||
|
then it might contain rogue entries. \fBradzap\fP can clean up this
|
||||||
|
diff --git a/man/man5/unlang.5 b/man/man5/unlang.5
|
||||||
|
index 40db5fa6e7..5f765f1787 100644
|
||||||
|
--- a/man/man5/unlang.5
|
||||||
|
+++ b/man/man5/unlang.5
|
||||||
|
@@ -195,7 +195,7 @@ The <list> can be one of "request", "reply", "proxy-request",
|
||||||
|
of Version 3, the <list> can be omitted, in which case "request" is
|
||||||
|
assumed.
|
||||||
|
|
||||||
|
-The "control" list is the list of attributes maintainted internally by
|
||||||
|
+The "control" list is the list of attributes maintained internally by
|
||||||
|
the server that controls how the server processes the request. Any
|
||||||
|
attribute that does not go in a packet on the network will generally
|
||||||
|
be placed in the "control" list.
|
||||||
|
@@ -397,7 +397,7 @@ Evaluates to true if 'foo' is a non-empty string (single quotes, double
|
||||||
|
quotes, or back-quoted). Also evaluates to true if 'foo' is a
|
||||||
|
non-zero number. Note that the language is poorly typed, so the
|
||||||
|
string "0000" can be interpreted as a numerical zero. This issue can
|
||||||
|
-be avoided by comparings strings to an empty string, rather than by
|
||||||
|
+be avoided by comparing strings to an empty string, rather than by
|
||||||
|
evaluating the string by itself.
|
||||||
|
|
||||||
|
If the word 'foo' is not a quoted string, then it can be taken as a
|
||||||
|
@@ -854,7 +854,7 @@ failover tracking that nothing was done in the current section.
|
||||||
|
.IP ok
|
||||||
|
Instructs the server that the request was processed properly. This
|
||||||
|
keyword can be used to over-ride earlier failures, if the local
|
||||||
|
-administrator determines that the faiures are not catastrophic.
|
||||||
|
+administrator determines that the failures are not catastrophic.
|
||||||
|
.IP reject
|
||||||
|
Causes the request to be immediately rejected
|
||||||
|
.SH MODULE RETURN CODES
|
||||||
|
diff --git a/man/man8/radcrypt.8 b/man/man8/radcrypt.8
|
||||||
|
index 08336c66f2..2917f60c46 100644
|
||||||
|
--- a/man/man8/radcrypt.8
|
||||||
|
+++ b/man/man8/radcrypt.8
|
||||||
|
@@ -30,7 +30,7 @@ Use a MD5 (Message Digest 5) hash.
|
||||||
|
Ignored if performing a password check.
|
||||||
|
.IP "\-c --check"
|
||||||
|
Perform a validation check on a password hash to verify if it matches
|
||||||
|
-the plantext password.
|
||||||
|
+the plaintext password.
|
||||||
|
|
||||||
|
.SH EXAMPLES
|
||||||
|
.nf
|
||||||
|
diff --git a/man/man8/radiusd.8 b/man/man8/radiusd.8
|
||||||
|
index 98aef5e1be..2ef5ccf789 100644
|
||||||
|
--- a/man/man8/radiusd.8
|
||||||
|
+++ b/man/man8/radiusd.8
|
||||||
|
@@ -211,11 +211,11 @@ This file is usually static. It defines all the possible RADIUS attributes
|
||||||
|
used in the other configuration files. You don't have to modify it.
|
||||||
|
It includes other dictionary files in the same directory.
|
||||||
|
.IP hints
|
||||||
|
-Defines certain hints to the radius server based on the users's loginname
|
||||||
|
+Defines certain hints to the radius server based on the users' loginname
|
||||||
|
or other attributes sent by the access server. It also provides for
|
||||||
|
mapping user names (such as Pusername -> username). This provides the
|
||||||
|
functionality that the \fILivingston 2.0\fP server has as "Prefix" and
|
||||||
|
-"Suffix" support in the \fIusers\fP file, but is more general. Ofcourse
|
||||||
|
+"Suffix" support in the \fIusers\fP file, but is more general. Of course
|
||||||
|
the Livingston way of doing things is also supported, and you can even use
|
||||||
|
both at the same time (within certain limits).
|
||||||
|
.IP huntgroups
|
@ -6,7 +6,7 @@ After=syslog.target network-online.target ipa.service dirsrv.target krb5kdc.serv
|
|||||||
Type=forking
|
Type=forking
|
||||||
PIDFile=/var/run/radiusd/radiusd.pid
|
PIDFile=/var/run/radiusd/radiusd.pid
|
||||||
ExecStartPre=-/bin/chown -R radiusd.radiusd /var/run/radiusd
|
ExecStartPre=-/bin/chown -R radiusd.radiusd /var/run/radiusd
|
||||||
ExecStartPre=/bin/sh /etc/raddb/certs/bootstrap
|
ExecStartPre=-/bin/sh /etc/raddb/certs/bootstrap
|
||||||
ExecStartPre=/usr/sbin/radiusd -C
|
ExecStartPre=/usr/sbin/radiusd -C
|
||||||
ExecStart=/usr/sbin/radiusd -d /etc/raddb
|
ExecStart=/usr/sbin/radiusd -d /etc/raddb
|
||||||
ExecReload=/usr/sbin/radiusd -C
|
ExecReload=/usr/sbin/radiusd -C
|
||||||
|
@ -9,7 +9,7 @@
|
|||||||
Summary: High-performance and highly configurable free RADIUS server
|
Summary: High-performance and highly configurable free RADIUS server
|
||||||
Name: freeradius
|
Name: freeradius
|
||||||
Version: 3.0.20
|
Version: 3.0.20
|
||||||
Release: 3%{?dist}
|
Release: 9%{?dist}
|
||||||
License: GPLv2+ and LGPLv2+
|
License: GPLv2+ and LGPLv2+
|
||||||
Group: System Environment/Daemons
|
Group: System Environment/Daemons
|
||||||
URL: http://www.freeradius.org/
|
URL: http://www.freeradius.org/
|
||||||
@ -38,6 +38,10 @@ Patch5: freeradius-fixes-to-python3-module-since-v3.0.20.patch
|
|||||||
Patch6: freeradius-bootstrap-make-permissions.patch
|
Patch6: freeradius-bootstrap-make-permissions.patch
|
||||||
Patch7: freeradius-no-dh-param-load-FIPS.patch
|
Patch7: freeradius-no-dh-param-load-FIPS.patch
|
||||||
Patch8: freeradius-bootstrap-fixed-dhparam.patch
|
Patch8: freeradius-bootstrap-fixed-dhparam.patch
|
||||||
|
Patch9: freeradius-man-Fix-some-typos.patch
|
||||||
|
Patch10: freeradius-Fix-resource-hard-limit-error.patch
|
||||||
|
Patch11: freeradius-FIPS-exit-if-md5-not-allowed.patch
|
||||||
|
Patch12: freeradius-bootstrap-run-only-once.patch
|
||||||
|
|
||||||
%global docdir %{?_pkgdocdir}%{!?_pkgdocdir:%{_docdir}/%{name}-%{version}}
|
%global docdir %{?_pkgdocdir}%{!?_pkgdocdir:%{_docdir}/%{name}-%{version}}
|
||||||
|
|
||||||
@ -234,6 +238,10 @@ This plugin provides the REST support for the FreeRADIUS server project.
|
|||||||
%patch6 -p1
|
%patch6 -p1
|
||||||
%patch7 -p1
|
%patch7 -p1
|
||||||
%patch8 -p1
|
%patch8 -p1
|
||||||
|
%patch9 -p1
|
||||||
|
%patch10 -p1
|
||||||
|
%patch11 -p1
|
||||||
|
%patch12 -p1
|
||||||
|
|
||||||
# Add fixed dhparam file to the source to ensure `make tests` can run.
|
# Add fixed dhparam file to the source to ensure `make tests` can run.
|
||||||
cp %{SOURCE105} raddb/certs/rfc3526-group-18-8192.dhparam
|
cp %{SOURCE105} raddb/certs/rfc3526-group-18-8192.dhparam
|
||||||
@ -884,6 +892,30 @@ exit 0
|
|||||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/rest
|
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/rest
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Aug 03 2021 Antonio Torres <antorres@redhat.com> - 3.0.20-9
|
||||||
|
- radiusd.service: don't fail if bootstrap script is not present
|
||||||
|
Resolves: bz#1954521
|
||||||
|
|
||||||
|
* Fri Jul 30 2021 Antonio Torres <antorres@redhat.com> - 3.0.20-8
|
||||||
|
- Extend info about boostrap script in README and comments
|
||||||
|
Resolves: bz#1954521
|
||||||
|
|
||||||
|
* Wed Jul 21 2021 Antonio Torres <antorres@redhat.com> - 3.0.20-7
|
||||||
|
- Ensure bootstrap script is run only once
|
||||||
|
Resolves: bz#1954521
|
||||||
|
|
||||||
|
* Mon Jul 19 2021 Antonio Torres <antorres@redhat.com> - 3.0.20-6
|
||||||
|
- Exit if host in FIPS mode and MD5 usage not explicitly allowed
|
||||||
|
Resolves: bz#1958979
|
||||||
|
|
||||||
|
* Mon Jul 19 2021 Antonio Torres <antorres@redhat.com> - 3.0.20-5
|
||||||
|
- Fix coredump not being able to be enabled
|
||||||
|
Resolves: bz#1977572
|
||||||
|
|
||||||
|
* Mon Jul 19 2021 Antonio Torres <antorres@redhat.com> - 3.0.20-4
|
||||||
|
- Fix some manpage typos
|
||||||
|
Resolves: bz#1843807
|
||||||
|
|
||||||
* Thu Aug 06 2020 Alexander Scheel <ascheel@redhat.com> - 3.0.20-3
|
* Thu Aug 06 2020 Alexander Scheel <ascheel@redhat.com> - 3.0.20-3
|
||||||
- Require make for proper bootstrap execution, removes post script
|
- Require make for proper bootstrap execution, removes post script
|
||||||
Resolves: bz#1672285
|
Resolves: bz#1672285
|
||||||
|
Loading…
Reference in New Issue
Block a user